Start by using SSMS to look at exactly what you are trying to execute using a PRINT instead of EXECUTE
At a guess, one of your parameters contains a quote character, which will mess up your whole statement.
You really don't want to do that anyway - you are still leaving yourself wide open to SQL Injection attack when you concatenate strings, even inside SQL. Passing your parameters as is would be a lot safer. See here for an example:
sql server - EXEC sp_executesql with multiple parameters - Stack Overflow[
^]