Dim sqlStr = "SELECT * FROM [user] WHERE [name]='" & nameStr & "'" _
& " AND [Password] ='" & PassStr & "' "
โดนอยู่แล้วค่ะเต็มๆ
ส่วนถ้าเป็น Command parameter จะประมาณนี้
Dim sqlStr = "SELECT * FROM [user] WHERE ([name]=@Name) AND ([Password] = @Password) "
Dim myCommand As SqlCommand = New SqlCommand( sqlStr ,myConn )
myCommand.Parameter.AddWithValue("@Name" ,UserNameStr)
myCommand.Parameter.AddWithValue("@Password" ,PasswordStr)