Not like that! Never concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Use Parametrized queries instead.
First, parse the numeric values to number variables:
int qty;
if (!int.TryParse(txtUpdateQuantity.Text, out qty))
{
... report a problem to the user ...
return;
}
Then try something like this:
using (SqlConnection con = new SqlConnection(strConnect))
{
con.Open();
using (SqlCommand cmd = new SqlCommand("UPDATE Books SET Quantity = Quantity + @QT WHERE [Name] = @NM AND Author = @AU", con))
{
cmd.Parameters.AddWithValue("@QT", qty);
cmd.Parameters.AddWithValue("@NM", txtBookName.Text);
cmd.Parameters.AddWithValue("@AU", txtBookAuthor.Text);
cmd.ExecuteNonQuery();
}
}