Um.
... where YEAR = '"+txtYear+"', COURSE = '"+txtCourse+"'";
Did you mean
... where YEAR = '"+txtYear+"' AND COURSE = '"+txtCourse+"'";
But please, don't do that. Do not concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Use Parametrized queries instead.