Two things:
1) Do not concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Use Parametrized queries instead. Particularly in a web based application, where someone from the other side of the world could destroy your database without even trying hard...
2) Check your Page Load event: I am pretty sure you don't check for
IsPostback[
^] ebfore setting up your page - which means when the user clicks the button, you overwrite his new values before the Button_Click event is actioned...