Well yes - your quotation marks don't make any sense!
command.CommandText = "update bill set staffid=staffid' and cstid='"
But then, the whole SQL is wrong, and even if it wasn't it would bne extremely dangerous. Do not concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Use Parametrized queries instead.
You've even got the code in there to add the parameters, but you don't use them at all!
Try:
command.CommandText = "update bill set staffid=@staffid, cstid=@cstid, ...
And provide the parameters properly:
command.Parameters.AddWithValue("@staffid", txtstaff.Text);
...
But do yourself (and your users) a favour: some of those are numeric values, so verify and convert the user inputs to the appropriate numeric value first before you try to pass them to SQL by using int.TryParse, double.TryParse, and so forth. If there is a problem, report it to the user instead of letting bad data to to the DB and hoping SQL rejects it.