Never concatenate actual values to the SQL statement. Instead use
OleDbParameter[
^].
So your code could look something like:
cmdInsert.CommandText = "INSERT INTO Alarm (Alarm, Date,Time) VALUES (?, ?, ?)"
MsgBox(cmdInsert.CommandText)
cmdInsert.CommandType = CommandType.Text
cmdInsert.Connection = cnnOLEDB
cmdInsert.Parameters.AddWithValue("@alarm", al);
cmdInsert.Parameters.AddWithValue("@date", dt);
cmdInsert.Parameters.AddWithValue("@time", tm);
cmdInsert.ExecuteNonQuery()
cmdInsert.Dispose()
That would help you against conversion problems and SQL injections.
Also don't use string data for dates or times. Instead use the native data types. As you're having both date and time separately, I'd suggest that you define only one field in the table and the data type would be
datetime2
. See:
http://msdn.microsoft.com/en-us/library/bb677335.aspx[
^]