Apart from what Anuj Banka already stated: Your SQL statement is assembled by string concatenation operations and is thus prone to SQL injection attacks. Your problem most likely arises from the fact that somewhere inside a comment or a mark there is a single quote character which will corrupt your naively constructed SQL. Use the
SqlCommand[
^].
Parameters[
^] in conjunction with the
SqlParameter[
^] class.
Regards,
—MRB