Start by making sure you can communicate with the device: use Hyperterminal or similar to make sure that everything works as expected before you even start coding.
Then at least you start from a working base: your baud rate and other communication parameters are correct before you start adding in other complexities.
When you have a working base to go from, think about how the communications work: you send a message, it should respond - that can take more than a few milliseconds: 9600 baud for example is less than 900 characters per second, plus there is the "unknown) response time taken by the device at the other end anyway.
Bear in mind that serial ports are just that: they receive data as individual characters, not whole messages - and each character takes time to arrive. So checking for input and grabbing it immediately expecting it to be the whole message probably isn't going to work unless your PC is unbelievably slow!
What I'd do is set up a secondary thread to handle all comms: it monitors for input and feeds messages back up to the main thread via an event without worrying about their content, just using the "basic packaging" of the device messages - probably just "text ending with a newline". A BackgroundWorker is a good fit here, as it provides progress reporting which can handle a whole message. This can easily be set up to provide a timeout
The higher level task then processes the message and either displays it, or converts it for addition to the DB.
And don't do DB work like that! Never concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Always use Parameterized queries instead.
When you concatenate strings, you cause problems because SQL receives commands like:
SELECT * FROM MyTable WHERE StreetAddress = 'Baker's Wood'
The quote the user added terminates the string as far as SQL is concerned and you get problems. But it could be worse. If I come along and type this instead: "x';DROP TABLE MyTable;--" Then SQL receives a very different command:
SELECT * FROM MyTable WHERE StreetAddress = 'x';DROP TABLE MyTable;
Which SQL sees as three separate commands:
SELECT * FROM MyTable WHERE StreetAddress = 'x';
A perfectly valid SELECT
DROP TABLE MyTable;
A perfectly valid "delete the table" command
And everything else is a comment.
So it does: selects any matching rows, deletes the table from the DB, and ignores anything else.
So ALWAYS use parameterized queries! Or be prepared to restore your DB from backup frequently. You do take backups regularly, don't you?