As to "how to create search engine", the answer would be: by doing appropriate software development work. It all depends where you want to do the search. If you need to search on the Web or set of files, why are you doing something with a relational database? :-)
Just one thing: imagine that you already have the search engine with all the feature of Google software. Will you be able to do the same search as Google at http:/www.google.com? No! This is because you don't have Google data. Google collects and support the a lot of hashed data collected from the Web, "the second Web". You have access to this data only through Google site.
As to the way you work with the SQL…
Your approach is wrong from the very beginning. The query composed by concatenation with strings taken from UI. Not only repeated string concatenation is inefficient (because strings are immutable
; do I have to explain why it makes repeated concatenation bad?), but there is way more important issue: it opens the doors to a well-known exploit called SQL injection
This is how it works: http://xkcd.com/327
Are you getting the idea? The string taken from a control can be anything, including… a fragment of SQL code.
What to do? Just read about this problem and the main remedy: parametrized statements
With ADO.NET, use this: http://msdn.microsoft.com/en-us/library/ff648339.aspx
Please see my past answers for some more detail:
EROR IN UPATE in com.ExecuteNonQuery();
hi name is not displaying in name?