Start by fixing the
SQL Injection[
^] vulnerability in your code.
Parameterizing queries isn't
quite as simple in VBA as it is in .NET, but it's not too bad:
Append and CreateParameter Methods Example (VB) | Microsoft Docs[
^]
Something like this should work:
Private Sub cmdadd_Click()
If MsgBox("Do you want to add this record?", vbQuestion + vbYesNo, "Add Employee") <> vbYes Then
Exit Sub
End If
Dim ConString As String
ConString= "provider=Microsoft.jet.oledb.4.0;Data Source=""D:\My Project VB6\Tubewell.accdb"""
Dim con As ADODB.Connection
Set con = New ADODB.Connection
con.ConnectionString = ConString
Dim cmd As ADODB.Command
Set cmd = New ADODB.Command
cmd.ActiveConnection = con
cmd.CommandText = "INSERT INTO Employee_Details (EmpNo, Employee_Name, Status) VALUES (?, ?, ?)"
Dim p As ADODB.Parameter
Set p = cmd.CreateParameter(, adInteger, adParamInput, , txtempno.Text)
cmd.Parameters.Append p
Set p = cmd.CreateParameter(, adVarChar, adParamInput, 50, empname.Text)
cmd.Parameters.Append p
Set p = cmd.CreateParameter(, adVarChar, adParamInput, 10, Combo1.Value)
cmd.Parameters.Append p
con.Open
cmd.Execute
con.Close
End Sub
NB: You'll need to change the parameter sizes for the name and status parameters to match the database.
Everything you wanted to know about SQL injection (but were afraid to ask) | Troy Hunt[^]
How can I explain SQL injection without technical jargon? | Information Security Stack Exchange[^]
Query Parameterization Cheat Sheet | OWASP[^]