Your application is wide open for SQL injection attacks.
Please instruct your users not to enter this in the text field:
','','',8);drop table Users;--
Alternatively, you can correct the code. Use parameterised queries instead of concatenating the data into the query.