Why creating parameters for each field that will be updated helps prevent SQL Injection? Example:
SqlCommand comm = new SqlCommand("UPDATE Contatos Set Telefone = @Telefone, " +
"Cidade = @Cidade, " +
"Email = @Email, " +
"Endereco = @Endereco " +
"WHERE Nome = @Nome", conn);
comm.Parameters.AddWithValue("@Telefone", txtTelefone.Text);
comm.Parameters.AddWithValue("@Cidade", txtCidade.Text);
comm.Parameters.AddWithValue("@Email", txtEmail.Text);
comm.Parameters.AddWithValue("@Endereco", txtEndereco.Text);
comm.Parameters.AddWithValue("@Nome", txtNome.Text);