Never concatenate values from user to the SQL statement. It leaves you open to SQL injection, see
SQL injection - Wikipedia[
^]
I would suggest going through
Properly executing database operations[
^]. It should give you ideas how to work with SQL from VB. Even though SqlConnection is used in the article, the principle is the exact same for OleDbConnection.