vb.net - SQL code works in a new query, but not in the program- exception error: "only constants, expressions or variables are allowed" -

the code works should , inserts table when used query in sql server management studio. i'm new sql appreciated, thanks.

sql server management studio query:

insert site(     sub_company_id,      site_name,      site_code,      site_address_1,      site_address_2,      site_address_3,      site_address_4,      site_postcode,      site_email,      site_username,      site_password,      site_order_budget,      site_float,      site_managment_percentage,      site_bond_percentage,      site_minimum_fee)      values(     '01',      'a',      '1',      'c',      'd',      'e',      'f',      'g',      'h',      'i',      'j',      '1',     '2',      '3',     '4',     '5') 

however when used in actual program exception error whatever typed in text for site_name. says constants, expressions or variables allowed- don't have problem when using string "a" in sql statement though. (this on 1 line in program, tried make easier read here).

program code:

dim str string = "insert site(     sub_company_id,      site_name,      site_code,      site_address_1,      site_address_2,      site_address_3,      site_address_4,      site_postcode,      site_email,      site_username,      site_password,      site_order_budget,      site_float,      site_managment_percentage,      site_bond_percentage,      site_minimum_fee)      values("      & lstsubcompany.selectedvalue & ","      & txtsitename.text & ","      & txtsitecode.text & ","      & txtaddress1.text & ","      & txtaddress2.text & ","      & txtaddress3.text & ","      & txtaddress4.text & ","      & txtpostcode.text & ","      & txtemail.text & ","     & txtusername.text & ","      & txtpassword.text & ","      & txtorderbudget.text & ","      & txtfloat.text & ","      & txtmanagmentfee.text & ","      & txtbond.text & ","      & txtminimumfee.text & ")"  

surround values string delimiters (i.e. ') :

dim str string = "insert site(     sub_company_id,      site_name,      site_code,      site_address_1,      site_address_2,      site_address_3,      site_address_4,      site_postcode,      site_email,      site_username,      site_password,      site_order_budget,      site_float,      site_managment_percentage,      site_bond_percentage,      site_minimum_fee)      values('"      & lstsubcompany.selectedvalue & "','"      & txtsitename.text & "','"      & txtsitecode.text & "','"      & txtaddress1.text & "','"      & txtaddress2.text & "','"      & txtaddress3.text & "','"      & txtaddress4.text & "','"      & txtpostcode.text & "','"      & txtemail.text & "','"      & txtusername.text & "','"      & txtpassword.text & "','"      & txtorderbudget.text & "','"      & txtfloat.text & "','"      & txtmanagmentfee.text & "','"      & txtbond.text & "','"      & txtminimumfee.text & "')"  

but kind of insert wide open sql injections. use sqlcommand instead.

and hash password before storing it.