As a rule of thumb, you should not compose your query out of the data such as
TextBox.Text
. Instead, you should create one or more
parametrized queries, create one or more database Command and re-use it by passing parameters from your data. You did not tell us what database provider you want to use; and I don't want to give you examples of all possible cases, as different mechanisms are used for different database providers: it can use named or positional correspondence between formal query parameters and objects.
See
http://msdn.microsoft.com/en-us/library/yy6y35y8.aspx[
^].
—SA