Yes, that's the sort of error it's easy to make when you build an SQL statement using
string concatenation like that. Normally I would recommend using a PreparedStatement, which simplifies building the SQL and also protects against SQL injection attacks.
However in this case if you do that then your code will need two phases: the first would build the SQL for the PreparedStatement, and then the second would fill in the parameters. Both phases would have to do similar things, i.e. going through the fields of your model object and executing code if the field wasn't null. That's a considerable increase in complexity, so for now I would suggest you don't bother with that. Get a working version of what you have so far. But if the code becomes production code, i.e. not just a school exercise but real-life code, then I would suggest revisiting it and using PreparedStatement with the added complexity.