Your approach is wrong from the very beginning. You should never create a query by concatenation of string taken from your UI. Instead, you need to use
parametrized statements. Please see:
http://msdn.microsoft.com/en-us/library/ff648339.aspx.
If you do it your way, you make your application totally vulnerable to a well-known exploit:
SQL Injection. The user can write anything in the UI, including some SQL fragment. Are you getting the idea? This is how:
http://xkcd.com/327.
Please see my past answers:
EROR IN UPATE in com.ExecuteNonQuery();,
hi name is not displaying in name?.
And now — drums… using parametrized statements will also solve the "problem" of blanks spaces in data, as well as any other characters confusing your use of SQL syntax. :-)
—SA