Why not keep it clean instead of mixing the
Parameterized
and regular query with string concatenation? stick with
Parameterized
. This will save you some headache down the road like SQL injection vulnerability and avoid the syntax issue.
Another observation, look like the txtBillID,txtBillNo,txtCheckInID should be integers, you might need to update the code to convert the string into integer before inserting it into the table.
Dim cb1 As String = "insert into CheckOut_Room(ID,BillNo,CheckInID,BillDate,Notes ) VALUES (@d1, @d2, @d3, @d4,@d5)"
cmd = New SqlCommand(cb1)
cmd.Connection = con
cmd.Parameters.AddWithValue("@d1", txtBillID.Text)
cmd.Parameters.AddWithValue("@d2", txtBillNo.Text)
cmd.Parameters.AddWithValue("@d3", txtCheckInID.Text)
cmd.Parameters.AddWithValue("@d4", dtpBillDate.Value)
cmd.Parameters.AddWithValue("@d5", txtNotes.Text)