vb.net insert query

Please help me determine what's wrong with my code, the query seems to be fine, I tried executing it on phpmyadm开发者_Go百科in.

  Dim cmdString As OdbcCommand
        cmdString = New OdbcCommand("INSERT INTO info_student (`idno`, `Last Name`, `First Name`, `Year and Section`, `Birthday`, `Address`) VALUES('" & (TextBox6.Text) & "','" & (TextBox1.Text) & "','" & (TextBox2.Text) & "','" & (TextBox3.Text) & "','" & (TextBox8.Text) & "','" & (TextBox10.Text) & "','" & (TextBox4.Text) & "'", con)
        cmdString.ExecuteNonQuery()

I got this error:

ERROR [42000] [MySQL][ODBC 5.1 Driver][mysqld-5.1.36-community-log]You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1

You're missing the closing parens at the end of the insert statement.

                                                    V
...& (TextBox10.Text) & "','" & (TextBox4.Text) & "')", con)...
                                                    ^

I think that one of the values you're trying to insert already contains a single quote (') and therefore the SQL statement becomes invalid.

Please read some articles about SQL Injection, your code is vulnerable!

Try changing your quotes to ' rather than the tilted quote character