Firstly, your code is at risk of
SQL Injection[
^] - never concatenate user input into sql statements like this.
Use
parameterised queries[
^] instead.
One of the advantages of using parameters is also not having to worry about single quote marks on date and text fields.
Your code could be changed as follows
Dim sql As String = "SELECT remittance_no, remit_date, messenger, item, item_value, rate.product, rate.product_value "
sql += "FROM remittance INNER JOIN rate ON rate.product=remittance.item "
sql += "where rate.ratecode = @RateCode And remittance.messenger = @Messenger "
sql += "and remit_date between @Date1 and @Date2 "
sql += "order by remit_date asc"
Then assuming you have something like
Dim command As SqlCommand = New SqlCommand()
and the associated connection etc (or just substitute your variable name for
command
in the code below.
command.Parameters.AddWithValue("@RateCode", txtRateCode.Text)
command.Parameters.AddWithValue("@Messenger", txtRateCode.Text)
command.Parameters.AddWithValue("@Date1", DateTimePicker1.Value)
command.Parameters.AddWithValue("@Date2", DateTimePicker2.Value)
Note that with DateTimePicker controls you can avoid the time element by using
DateTimePicker1.Value.Date