Do not concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Use Parametrized queries instead.
And when you have a null
value to pass through, replace it with DBNull.Value as the parameter.