Not like that!
Your code is vulnerable to
SQL Injection[
^].
NEVER use string concatenation to build a SQL query.
ALWAYS use a parameterized query.
Everything you wanted to know about SQL injection (but were afraid to ask) | Troy Hunt[
^]
How can I explain SQL injection without technical jargon? | Information Security Stack Exchange[
^]
Query Parameterization Cheat Sheet | OWASP[
^]
const string sql = "update productinfo set product_name = @name, product_price = @price, product_type = @type, product_qty = product_qty - @order_qty where product_id = @id";
using (var connection = new SqlConnection("..."))
using (var command = new SqlCommand(sql, connection))
{
command.Parameters.AddWithValue("@name", product_name);
command.Parameters.AddWithValue("@price", product_price);
command.Parameters.AddWithValue("@type", product_type);
command.Parameters.AddWithValue("@order_qty", order_qty);
command.Parameters.AddWithValue("@id", product_id);
connection.Open();
command.ExecuteNonQuery();
}