Your code is vulnerable to
SQL Injection[
^].
NEVER use string concatenation to build a SQL query.
ALWAYS use a parameterized query.
You've also never executed your query, and never passed the XML to the query.
Try something like this:
const string Query = "UPDATE TableName SET YourXmlColumn = @Xml WHERE YourOtherColumn = @Condition";
using (SqlCommand cmd = new SqlCommand(Query, con))
{
cmd.CommandType = CommandType.Text;
cmd.Parameters.AddWithValue("@Xml", textBox2.Text);
cmd.Parameters.AddWithValue("@Condition", txt2.Text);
con.Open();
cmd.ExecuteNonQuery();
}
MessageBox.Show("ok");