One, you should not be using string concatenation with unvalidated user input. EVER!! Use a parameterized query at the very least.
Perhaps I misunderstood the question, but, if you are assuming that given a filename SQL Server will automatically insert the contents of the file to the database then you are mistaken.
See
here[
^] for how to add files to SQL Server