As already said, always define the column names in your query.
But another thing: Never concatenate values to your queries directly. This leaves you open to possible SQL injections, data type conversion problems and so on. Instead use
SqlParameter[
^]
Addition:
An excellent cartoon suggested and appropriate for this situation :)
http://xkcd.com/327/[
^]