La instrucción SQL VB no selecciona la fila correcta

Intento utilizar una instrucción SELECT para "seleccionar" a una persona en mi database y no selecciona a la persona correcta en absoluto, tampoco estoy seguro de por qué.

Estoy usando una database de acceso.

Código de connection de database:

Imports System.Data.OleDb Module Database_Connection Public provider As String 'This will tell VS what database source type to use. Public datafile As String 'This will provide the file itself that VS will use. Public connstring As String 'This is the connection string that will tie the Provider and Datafile together so that we can make a physical connection Public myconnection As OleDbConnection = New OleDbConnection 'Set's the variable myconnection as a new Connection to the database using the OleDb type. Public dr As OleDbDataReader 'This will be used to read data from the database. Public Sub Access_Database() provider = "Provider=Microsoft.ACE.OLEDB.12.0;Data Source =" datafile = "Folly_Beach_Data.accdb" connstring = provider & datafile myconnection.ConnectionString = connstring Try myconnection.Open() 'Opens the connection to test it. Catch ex As Exception MessageBox.Show("Error" & vbCrLf & vbCrLf & "Original Error: " & ex.ToString) 'This is an error that most likely many people will recieve on their computers. I noticed the problem a 'while ago and looked for a way to fix it. This is both the easiest and only method to correct the error stated below. 'It doesn't force you to download anything, you have to select the option to do so. If MsgBox("If you received an error that states: " & vbCrLf _ & Quotes & "The microsoft.ACE.OLEDB.12.0' provider is not registenetworking on the local machine." _ & Quotes & "Please press ok to install the database engine: ", MsgBoxStyle.OkCancel, _ "Error") = MsgBoxResult.Ok Then System.Diagnostics.Process.Start("http://www.microsoft.com/en-us/download/confirmation.aspx?id=23734") 'This opens the webpage to directly download the file. As soon as you press okay on the messagebox the file is 'instantly ready for download. ElseIf MsgBoxResult.Cancel Then MessageBox.Show("Here is the link for future reference if you would like to download it at a later time: " _ & vbCrLf & vbCrLf & "http://bit.ly/19FWu09", "For later") 'I case you are untrusting of the file or cannot download it at the present time, it gives a link for later installation ConnectionError = True 'For Description view "MyVariables" myconnection.Close() 'Closes the connection End If Finally 'If myconnection.State = ConnectionState.Open Then ' MessageBox.Show("The database was successfully connected to", "Success", MessageBoxButtons.OK) 'End If ConnectionError = False myconnection.Close() 'Closes the connection so we can open at a later time. 'Trying to re-use or re-open a connection string will crash the progrm. End Try End Sub 

Módulo final

Y aquí es donde estoy seleccionar a la persona en mi código:

Tenga en count que estoy revisando el número de teléfono y el código postal para ver si esa persona es esa persona. (Esto no es seguro, me doy count. Este es un proyecto esqueuer). Así que estoy usando ambas declaraciones SELECT al principio para verificar la información de esa persona. Y funciona correctamente Si el número de teléfono es correcto pero el código postal no lo está, muestra que no es correcto y no continúa. Lo hago como una statement SELECT anidada.

  Private Sub ReturningCheck() Dim Phone As String = Phonetxt.Text Dim Zip As String = ziptxt.Text GuestFound = False Try myconnection.Open() Dim str As String str = "SELECT * FROM Customers WHERE Customer_Phone_Number='" & Phone & "'" Dim cmd As OleDbCommand = New OleDbCommand(str, myconnection) dr = cmd.ExecuteReader If dr.Read Then str = "Select * FROM Customers WHERE Customer_Address_Zip='" & Zip & "'" cmd = New OleDbCommand(str, myconnection) dr = cmd.ExecuteReader If dr.Read Then GuestName = dr("Customer_Name") MessageBox.Show("Welcome back " & GuestName & ".") GuestFound = True Else MessageBox.Show("The Phone number Matches but the zipcode does not, please re-enter the zip code that you first signed up with.") ziptxt.Focus() ziptxt.SelectAll() End If Else MessageBox.Show("That phone number does not exist in our records please re-enter the phone number in the format of 8001231234") Phonetxt.Focus() Phonetxt.SelectAll() End If Catch ex As Exception MessageBox.Show("There was an error retrieving your information from the database" _ & vbCrLf & vbCrLf & "Original Error: " & ex.ToString, _ "Error", MessageBoxButtons.OK, MessageBoxIcon.Error) Finally myconnection.Close() End Try End Sub 

Intento hacer la última persona en la database pero devuelve el nombre de la segunda persona. Entonces, ¿qué tiene de malo? Cualquier ayuda será apreciada.

En lugar de llamar dos sentencias SQL en una fila, combine las condiciones en la cláusula where de una sola instrucción SQL, como esta:

 str = "SELECT * FROM Customers WHERE Customer_Phone_Number='" & Phone & _ "' AND Customer_Address_Zip='" & Zip & "'" 

Como se sugiere a continuación, debe corregir su código para asegurarse de que esté protegido contra ataques SQL. En resumen, cada vez que inserta una cadena de un campo ingresado por los usuarios, debe desinfectarla. La mejor manera de lograr esto es mediante el uso de una consulta parametrizada. Busque "consulta parametrizada en VB", encontrará muchos ejemplos.