Sorry, I'm not going to check it for correctness. (It actually depends on what is do you have in UI.) The whole idea is so wrong and dangerous, so your code should not be considered. You should never compose a query by concatenating strings, especially taken from UI. Just think about it: a text input can contain anything, including… fragment of SQL code.
This opens doors to a well-known exploit called
SQL injection. Please see my past answers explaining it, with explanation of what you should do:
hi name is not displaying in name?[
^],
EROR IN UPATE in com.ExecuteNonQuery();[
^].
This is a great example:
http://xkcd.com/327/[
^].
This is not the only problem. You demonstrate the trend to work with string representation of data instead of data itself. This is very bad.
Good luck,
—SA