First you don't need the ending
& ""
garbage. I see that all the time with newb's and it's completely useless.
On your problem line, you start a string literal with a " and then you try to add a variable value to it without first closing the literal.
Next, DO NOT USE string concatenation to build an SQL query. ALWAYS use parameterized queries. See
DataAdapter Parameters | Microsoft Docs[
^] for how to do it.
Then go see
Google: sql injection attack[
^] for why.