|What you really need is a parameterised query. The idea is that you create a parameter, and associate it with the command object.
You can then fill in the value, and run the command. Check out the documentation for CreateParameter.
This is preferred to concatenating the text because it avoids problems with strings containing quotes, and the so-called SQL injection attacks.
Developer for hire