The immediate solution is to add the missing last quotation mark to the statement:
SqlStr = SqlStr + "'" + TxtSize.Text + "')";
However, I suggest not concatenating the data from controls directly to the SQL statement. This leaves you wide open to SQL injections. Instead, use
SQLParameter[
^].
So in overall your code should look something like
SqlStr = @"
INSERT INTO Filelib (Id_Files, Name, Year, Director, Quality, Size)
VALUES (@Id_Files, @Name, @Year, @Director, @Quality, @Size)";
using(sqlcmd = new SqlCommand(SqlStr, cn)) {
sqlcmd.Parameters.AddWithValue("@Id_Files", TxtId_Files.Text);
sqlcmd.Parameters.AddWithValue("@Name", TxtName.Text);
sqlcmd.Parameters.AddWithValue("@Year", TxtYear.Text);
sqlcmd.Parameters.AddWithValue("@Director", TxtDirector.Text);
sqlcmd.Parameters.AddWithValue("@Quality", TxtQuality.Text);
sqlcmd.Parameters.AddWithValue("@Size", TxtSize.Text);
sqlcmd.ExecuteNonQuery();
}
Also it would be advisable to wrap the command into a using block that defines the connection.
For more discussion, have a look at
Properly executing database operations[
^]