Instead of writing query as
insert into table_name values (10,'somevalue')
use query as
insert into table_name values (@fval,@secval) ;
Now use the parameterised query as follows .
SqlConnection cn=new SqlConnection("connection string here ");
SqlCommand cmd=new SqlCommand("into table_name values (@fval,@secval)",cn);
SqlParamtere p1=new SqlParameter("@fval",sqldbtype.int);
p1.value=valuefromtextbox;
SqlParamtere p2=new SqlParameter("@secval",sqldbtype.varchar,20);
p2.value=valuefromtextbox;
cmd.parameters.add(p1);
cmd.parameters.add(p2);
cn.open();cmd.executenonquery();
cn.close();
Note: For observing what is going from ado.net into sqlserver use sql profiler tool .
Note: This code is not tested in visual studio .