One more useful article on SQL injection:
You really need to get rid of building a query string by concatenation with some data taken from the UI. In a nutshell the idea of the exploit if very simple: anything can be placed in textBox1.Text. Even a fragment of SQL code. Parametrized statements
solve this problem.