Mattmanser прав, никогда не пишите SQL-запрос, объединяя параметры непосредственно в запросе. Пример параметризованного запроса:
string lastname = "Doe";
double height = 6.1;
DateTime date = new DateTime(1978,4,18);
var connection = new MySqlConnection(connStr);
try
{
connection.Open();
var command = new MySqlCommand(
"SELECT * FROM tblPerson WHERE LastName = @Name AND Height > @Height AND BirthDate < @BirthDate", connection);
command.Parameters.AddWithValue("@Name", lastname);
command.Parameters.AddWithValue("@Height", height);
command.Parameters.AddWithValue("@Name", birthDate);
MySqlDataReader reader = command.ExecuteReader();
...
}
finally
{
connection.Close();
}