Not like that! Never concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Always use Parameterized queries instead.
When you concatenate strings, you cause problems because SQL receives commands like:
SELECT * FROM MyTable WHERE StreetAddress = 'Baker's Wood'
The quote the user added terminates the string as far as SQL is concerned and you get problems. But it could be worse. If I come along and type this instead: "x';DROP TABLE MyTable;--" Then SQL receives a very different command:
SELECT * FROM MyTable WHERE StreetAddress = 'x';DROP TABLE MyTable;
Which SQL sees as three separate commands:
SELECT * FROM MyTable WHERE StreetAddress = 'x';
A perfectly valid SELECT
DROP TABLE MyTable;
A perfectly valid "delete the table" command
And everything else is a comment.
So it does: selects any matching rows, deletes the table from the DB, and ignores anything else.
So ALWAYS use parameterized queries! Or be prepared to restore your DB from backup frequently. You do take backups regularly, don't you?
Having said that, there are several other problems with your approach:
1) Never pass DateTime info as a string, even if you have made the mistake of storing it as such: that means that the format of the date you pass will always depend on the user settings for the computer your app is running on - and that means that you may not be able to tell what the date is: "01-02-03" is what? First Feb 2003? Second Jan 2003? Third Feb 2001? Depends entirely on the user settings! Always pass DateTime values as DateTime via parameters.
2) If you updt\ae a field with a timestamp, you really need to be using UTC rather than the local time for the computer the app is running on. Partly to avoid daylight savings changes causing problems, but mostly to prevent international users entering wildly different times at the same moment, both of which are locally correct!
3) Don't use
.Text == ""
as an "Emptiness" test: use
string.IsNullOrWhitepace
instead. " " is not the same as ""!
One (better) way to do this is to let Sql Server handle the timestamp for you:
sql server - Need a datetime field in MS SQL that automatically updates when the record is modified - Stack Overflow[
^] that can use UTC and the server time so there is never any confusion over timezones, daylight saving, or a computer that has the clock set wrong ...