Your approach is wrong from the very beginning. You should never create a query by concatenation of string taken from your UI. Instead, you need to use parametrized statements
. Please see: http://msdn.microsoft.com/en-us/library/ff648339.aspx
If you do it your way, you make your application totally vulnerable to a well-known exploit: SQL Injection
. The user can write anything in the UI, including some SQL fragment. Are you getting the idea? This is how: http://xkcd.com/327
Please see my past answers:
EROR IN UPATE in com.ExecuteNonQuery();
hi name is not displaying in name?
And now — drums… using parametrized statements will also solve the "problem" of blanks spaces in data, as well as any other characters confusing your use of SQL syntax.