Don't concatenate strings and build the sql statement. use Parameters, read
DataAdapter Parameters[
^]
sample code:
Dim selectSQL As String = _
"SELECT CustomerID, CompanyName FROM Customers " & _
"WHERE CountryRegion = ? AND City = ?"
Dim adapter As OleDbDataAdapter = New OleDbDataAdapter
Dim selectCMD AS OleDbCommand = New OleDbCommand(selectSQL, connection)
adapter.SelectCommand = selectCMD
selectCMD.Parameters.Add( _
"@CountryRegion", OleDbType.VarChar, 15).Value = "UK"
selectCMD.Parameters.Add( _
"@City", OleDbType.VarChar, 15).Value = "London"
Dim customers As DataSet = New DataSet
adapter.Fill(customers, "Customers")