Never use concatenated strings to create your SQL command.
Use parameterised queries. Not only will that help to protect you from SQL Injection attacks, it makes it easier to construct the queries and helps to avoid some errors.
For example:
SqlCommand cmd=new SqlCommand("insert into Order_TB values(@Description,@Week,@month, @List4)",con);
cmd.Parameters.AddWithValue("@Description", TxtDescription.Text);
cmd.Parameters.AddWithValue("@Week", DdlWeek.Text);
cmd.Parameters.AddWithValue("@month", Ddlmonth.Text);
cmd.Parameters.AddWithValue("@List4", DropDownList4.Text);
cmd.ExecuteNonQuery();
con.Close();
Now look at your database table. What columns does it have ... Description, Week, month, List4 and nothing else (other than possibly an IDENTITY column).
If there are more columns on the table than that, then you need to do one of two things.
1. Give a list of the columns which you are going to provide. E.g.
SqlCommand cmd=new SqlCommand("insert into Order_TB (Description, Week, Month, List4) values(@Description,@Week,@month, @List4)",con);
(Note I have just guessed the column names - use your actual column names not the ones I have put in here)
2. Provide values for all of the columns in the table
SqlCommand cmd=new SqlCommand("insert into Order_TB values(@Description,@Week,@month, @List4, @column5, @column6)",con);
... etc