It'll be easier to spot if you print out the SQL INSERT string.
But even if you fix the problem, this is still a bad way to go. You ought to be using PreparedStatement to escape and bind variables. It'll be less error prone. You'll be safer from SQL injection attacks as an added bonus.
