Unknown column ‘xxx’ in ‘where clause’

在asp.net中获取textbox的值,拼接字符串
错误:

"select * from User where name="+name

这种只适用于int的类型
string类型的正确用法

select * from User where name='"+name+ "'";

Unknown column ‘xxx‘ in ‘where clause‘_User