I suspect that your browser is suppressing the real error message. You should look to see if Friendly HTTP Error messages is turned on.

Pertinent to this forum, what you are doing appears to be ripe for SQL injection. One of the basics is to use stored procedures and pass in parameters instead of building the ad-hoc SQL.

There are all sorts of best practices out there regarding ASP and SQL Server development. I strongly suggest that you visit a few of these websites before getting too far down this path.

Kyle