It doesn't look like you're using SQL parameters, so please consider this article
http://weblogs.sqlteam.com/jeffs/archive/2006/07/21/10728.aspx[
^]
You should always use parameters, rather than trying to build strings like you have. This is in VB (copied from the article!) but it should show you how you can use parameters rather than concatenating a string to execute
Dim cm As New SqlCommand("", YourConnection)
cm.CommandText = "update UserChannelRights set FormUpdated=@UpdateTime, channelname=@ChannelName where UserId=@UserID"
cm.Parameters.Add("@UpdateTime", SqlDbType.DateTime).Value = DateTime.Now
cm.Parameters.Add("@ChannelName", SqlDbType.NVarChar).Value = channelname
cm.Parameters.Add("@UserID", SqlDbType.Int).Value = userid
cm.ExecuteNonQuery()
This often solves a number of problems (e.g. date conversion) that can occur and will also protect you from SQL injection.