Your approach is wrong from the very beginning. You should never create a query by concatenation of string taken from your UI. Instead, you need to use
parametrized statements. Please see:
http://msdn.microsoft.com/en-us/library/ff648339.aspx.
If you do it your way, you make your application totally vulnerable to a well-known exploit:
SQL Injection. The user can write anything in the UI, including some SQL fragment. Are you getting the idea? This is how:
http://xkcd.com/327.
Please see my past answers:
EROR IN UPATE in com.ExecuteNonQuery();,
hi name is not displaying in name?.
—SA