首先，你应该避免 SqlInjection [ ^ ]通过创建参数化查询。



假设您要显示与用户定义的日期范围相对应的数据（Text1.Text ），您可以尝试这样的事情：

First of all, you should avoid SqlInjection[^] by creating parameterized queries.

Assuming, that you'd like to display data corresponding to date range defined by the user (Text1.Text), you can try something like this:

sql = String.Format("SELECT <Field_List> {0} FROM Tpegawai {0} WHERE DateDiff('d', Date(), thmasuk)<=?", Environment.NewLine)
con.Open()
Dim dt As DataTable = New DataTable()
Using command As OleDbCommand = New OleDbCommand(sql, con)
    command.Parameters.Add(Me.Text1.Text)
    Dim oRdr As OleDbDataReader = command.ExecuteNonQuery()
    dt.Load(oRdr)
    oRdr.Dispose()
    command.Dispose()
End Using
con.Close()
'dt holds data; you can bind it with DataGridView.DataSource
DataGridView1.DataSource1 = dt

欲了解更多详情，请参阅：

OleDbCommand.Parameters属性（System.Data.OleDb） [ ^ ]