Doubt with sql command in c#

Question:

SqlCommand comm =
new SqlCommand("UPDATE Contatos Set Telefone=" + " ' " + txtTelefone.Text + " ' " + ",Cidade=" + " ' " + txtCidade.Text + " ' " + ",Email=" + " ' " + txtEmail.Text + " ' " + ",Endereco=" + " ' " + txtEndereco.Text + " ' " + "WHERE Nome=" + txtNome.Text, conn);

Error: "Invalid column name 'the name in txtName'". The error message shows as if I was trying to fetch a column name, where the column name is txtName.Text. My intention was for the sql command to update the contact information according to their name. I have little experience with sql and I can't see where my error is.

Answer:

This is the bad way to fire an SQL command. The correct thing is to create parameters for each field that will be updated:

SqlCommand comm = new SqlCommand("UPDATE Contatos Set Telefone = @Telefone, " +
                                 "Cidade = @Cidade, " +
                                 "Email = @Email, " +
                                 "Endereco = @Endereco " +
                                 "WHERE Nome = @Nome", conn);

comm.Parameters.AddWithValue("@Telefone", txtTelefone.Text);
comm.Parameters.AddWithValue("@Cidade", txtCidade.Text);
comm.Parameters.AddWithValue("@Email", txtEmail.Text);
comm.Parameters.AddWithValue("@Endereco", txtEndereco.Text);
comm.Parameters.AddWithValue("@Nome", txtNome.Text);
Scroll to Top