str = "INSERT INTO Log ([Číslo dílu], [Zákaznické číslo], [Výsledek], [Datum], [Čas], [ID], [Směna], [Kód operace]) values('" & cislod & "','" & zakazc & "','" & stav & "','" & formattedDate & "','" & OnlyTime & "','" & ID & "','" & smena & "','" & kod_operace & "')"
Dim cmd As OleDbCommand = New OleDbCommand(str, myConnection)
cmd.Parameters.Add(New OleDbParameter("Číslo dílu", CType(cislod, String)))
cmd.Parameters.Add(New OleDbParameter("Zákaznické číslo", CType(zakazc, String)))
cmd.Parameters.Add(New OleDbParameter("Výsledek", CType(stav, String)))
cmd.Parameters.Add(New OleDbParameter("Datum", CType(formattedDate, String)))
cmd.Parameters.Add(New OleDbParameter("Čas", CType(OnlyTime, String)))
cmd.Parameters.Add(New OleDbParameter("ID", CType(ID, String)))
cmd.Parameters.Add(New OleDbParameter("Směna", CType(smena, String)))
cmd.Parameters.Add(New OleDbParameter("Kód operace", CType(kod_operace, String)))
That's not how parameters work. You're still concatenating the parameter values directly into the query, which leaves your code vulnerable to SQL Injection.
Your query should contain parameter placeholders instead. For MS Access, that's the
?
character:
str = "INSERT INTO Log ([Číslo dílu], [Zákaznické číslo], [Výsledek], [Datum], [Čas], [ID], [Směna], [Kód operace]) values(?, ?, ?, ?, ?, ?, ?, ?)"
The rest of the code remains the same. The parameter names don't matter; you just need to make sure you add them in the same order as they appear in the command text.
Once you've fixed that, you'll probably find that it fixes your "unspecified error" too.
Everything you wanted to know about SQL injection (but were afraid to ask) | Troy Hunt[^]
How can I explain SQL injection without technical jargon? | Information Security Stack Exchange[^]
Query Parameterization Cheat Sheet | OWASP[^]