Use this method to avoid from SQL injection
public static void Save()
{
String Query=("INSERT INTO CityMaster(code,ename)VALUES(@code,@ename");
SqlConnection Connection=new SqlConnection("Data Source=.\SQLEXPRESS;AttachDbFilename=|DataDirectory|\Business_Medical.mdf;Integrated Security=True;User Instance=True");
SqlCommand Command = new SqlCommand(Query, Connection);
Command.CommandTimeout = 30;
Command.CommandType = CommandType.Text;
Command.Parameters.AddWithValue("@code", txtcode.Text);
Command.Parameters.AddWithValue("@ename", txtename.Text);
Command.ExecuteNonQuery();
Connection.Close();
}