I noticed something with your query here:
Just so you know, concatenating strings in an SQL query leaves you open to SQL injection vulnerabilities. It's a good idea to use parameterized queries and other methods to avoid this, particularly when dealing with public facing systems.
Here's more info on SQL injection prevention. I've written out the equivalent of your query using parameters for your reference.
Hope this helps. Happy coding!