VB.Net ignores isDBNull condition - vb.net

I'm programming a dog adoption form. It retrieves data from a Access DB then the user can adopt up to three dogs, each one of them specified in 3 different fields. I'm doing it this way because I previously tried to do it with arrays, with no luck.
The issue comes here (highlighted in bold):
Try
Dim conexion As New OleDb.OleDbConnection("Provider=Microsoft.ACE.OLEDB.12.0;Data Source=|DataDirectory|\PerrosDB.mdb;")
conexion.Open()
Dim cmd As New OleDb.OleDbCommand
cmd.Connection = conexion
cmd.CommandType = CommandType.Text
cmd.CommandText = "select adopcion1, adopcion2, adopcion3 from usuarios where codigo_usuario = " & FormPrincipal.codigo_usuario & ""
Dim dr As OleDb.OleDbDataReader
dr = cmd.ExecuteReader
While dr.Read()
**If dr.IsDBNull(1) Then
posicionAdopcion = 1
ElseIf dr.IsDBNull(2) Then
posicionAdopcion = 2
ElseIf dr.IsDBNull(3) Then
posicionAdopcion = 3
Else
MsgBox("Lo sentimos, solo puedes hacer un máximo de 3 adopciones")
Exit Sub**
End If
End While
dr.Close()
conexion.Close()
Catch ex As Exception
MsgBox(ex.Message & "Saliendo de la aplicación.")
Me.Close()
End Try
and
Try
Dim conexion As New OleDb.OleDbConnection("Provider=Microsoft.ACE.OLEDB.12.0;Data Source=|DataDirectory|\PerrosDB.mdb;")
conexion.Open()
Dim cmd As New OleDb.OleDbCommand
cmd.Connection = conexion
cmd.CommandType = CommandType.Text
**If (posicionAdopcion = 1) Then
cmd.CommandText = "UPDATE USUARIOS SET ADOPCION1 = '" & nombrePerro & "' WHERE codigo_usuario = " & FormPrincipal.codigo_usuario & ""
ElseIf (posicionAdopcion = 2) Then
cmd.CommandText = "UPDATE USUARIOS SET ADOPCION2 = '" & nombrePerro & "' WHERE codigo_usuario = " & FormPrincipal.codigo_usuario & ""
ElseIf (posicionAdopcion = 3) Then
cmd.CommandText = "UPDATE USUARIOS SET ADOPCION3 = '" & nombrePerro & "' WHERE codigo_usuario = " & FormPrincipal.codigo_usuario & ""
End If**
cmd.ExecuteNonQuery()
conexion.Close()
Catch ex As Exception
MsgBox(ex.Message & "Saliendo de la aplicación...")
Me.Close()
End Try
What I'm trying to do is to check if the adoption fields (adopcion1, adopcion2, adopcion3) are empty, if they are, place the name of the dog there. If they are not, check for the next free slot. If none available, print the corresponding error message. But what the program does is to overwrite the adopcion1 (first field) no matter what.
I have checked this thread, I may be having a similar issue misunderstanding isDBNull usage, but so far I'm trying to do what it's stated there with no result.
What I'm doing wrong?

I got it, as I expected it was a silly mistake: I was retrieving the first data field from 1, and not from 0. Thus skipping it entirely:
If dr.isDBNull(0) Then
posicionAdopcion = 1
But yes, the code seems clunky, didn't know about SQL parameters, going to check them ASAP.
Thanks for the help!

Related

How solve this problem syntax error in UPDATE statement

This problem at syntax error for update statement then I don't know how to solve this problem
Private Sub editStaff()
Try
If con.State = ConnectionState.Closed Then
con.Open()
End If
If IDTextBox.Text <> "" And FirstTextBox.Text <> "" And SecondTextBox.Text <> "" And UsernameTextBox.Text <> "" And PasswordTextBox.Text <> "" Then
strSQL = "update Staff set First_Name = '" & FirstTextBox.Text & "', " &
"Second_Name = '" & SecondTextBox.Text & "', " & "Username = '" & UsernameTextBox.Text & "', " &
"Password = '" & PasswordTextBox.Text & "'" & " where ID = " & CInt(IDTextBox.Text) & ""
Dim cmd As OleDbCommand = New OleDbCommand(strSQL, con)
Try
cmd.ExecuteNonQuery()
cmd.Dispose()
con.Close()
MessageBox.Show("Update Successful")
Catch ex As Exception
MessageBox.Show(ex.Message)
End Try
End If
Catch ex As Exception
MessageBox.Show(ex.ToString)
End Try
End Sub
For some reason your validation If did not include the ID text box. I added validation for this text box. The OrElse is a short circuit. As soon as it finds a True it stops checking the conditions and proceeds to the next line.
This code
If con.State = ConnectionState.Closed Then
con.Open()
End If
is completely unnecessary if you keep your database objects local. Keeping them local allows you to ensure they are closed and disposed with Using...End Using blocks.
Don't open the connection until you need it which is directly before the .Execute... line. Use parameters to avoid Sql Injection. Also your Update statement is much easier to write without all the single quotes and double quotes and ampersands.
Caution In Access the order that the parameters appear in the Sql statement must match the order that they are added to the .Parameters collection.
Finally, you should NEVER store passwords as plain text. I will leave it to you to research salting and hashing and correct the code.
Private Sub editStaff()
Dim i As Integer
If Integer.TryParse(IDTextBox.Text, i) Then
MessageBox.Show("ID text box must be a number")
Return
End If
If IDTextBox.Text = "" OrElse FirstTextBox.Text = "" OrElse SecondTextBox.Text = "" OrElse UsernameTextBox.Text = "" OrElse PasswordTextBox.Text = "" Then
MessageBox.Show("Please fill in all text boxes")
Return
End If
Try
Using con As New OleDbConnection("Your connection string")
Dim strSQL = "Update Staff set First_Name = #FirstName, Second_Name = #SecondName, [Username] = #UserName, [Password] = #Password Where [ID] = #ID"
Using cmd As New OleDbCommand(strSQL, con)
With cmd.Parameters
.Add("#FirstName", OleDbType.VarChar).Value = FirstTextBox.Text
.Add("#SecondName", OleDbType.VarChar).Value = SecondTextBox.Text
.Add("#UserName", OleDbType.VarChar).Value = UsernameBox.Text
.Add("#Password", OleDbType.VarChar).Value = PasswordTextBox.Text
.Add("#ID", OleDbType.Integer).Value = CInt(IDTextBox.Text)
End With
con.Open()
cmd.ExecuteNonQuery()
End Using
End Using
MessageBox.Show("Update Successful")
Catch ex As Exception
MessageBox.Show(ex.ToString)
End Try
End Sub

Updating SQL database Issue [closed]

Closed. This question needs debugging details. It is not currently accepting answers.
Edit the question to include desired behavior, a specific problem or error, and the shortest code necessary to reproduce the problem. This will help others answer the question.
Closed 4 years ago.
Improve this question
Thanks so much for your response. So I've made the changes you suggested, but i'm still not getting my database to update. The only thing that I have changed from your code is the MessageBox lines. I changed those to Alert messages. What am I missing here? Maybe my variables need to be declared differently Thanks!!!
Protected Sub Button1_Click(sender As Object, e As EventArgs) Handles Button1.Click
Dim x As Integer
Dim z As Integer
Dim r As Integer
Dim V1 As String
Dim V2 As String
x = txbPalletNumber.Text
z = txbOrderNumber.Text
r = txbShipmentNumber.Text
Try
Using conn As New OleDbConnection("Provider=Microsoft.ACE.OLEDB.12.0;Data Source=C:\inetpub\wwwroot\Traceability\Traceability.accdb")
If Not Integer.TryParse(txbPalletNumber.Text, x) Then
Response.Write("<script type=""text/javascript"">alert(""Pallet Number must be a Number"");</script")
Exit Sub
End If
If Not Integer.TryParse(txbOrderNumber.Text, z) Then
Response.Write("<script type=""text/javascript"">alert(""Order Number must be a Number"");</script")
Exit Sub
End If
If Not Integer.TryParse(txbShipmentNumber.Text, r) Then
Response.Write("<script type=""text/javascript"">alert(""Shipment Number must be a Number"");</script")
Exit Sub
End If
Using cmd As New OleDbCommand("SELECT Status FROM tblPalletRecords WHERE Palletnumber = #x ", conn)
cmd.Parameters.Add("#x", OleDbType.Integer).Value = x
conn.Open()
V1 = CStr(cmd.ExecuteScalar())
conn.Close()
End Using
If V1 = "In Stock" Then
Using cmd2 As New OleDbCommand("UPDATE tblPalletRecords SET OrderNumber = #z, ShipmentNumber = #r WHERE PalletNumber = #x", conn)
cmd2.CommandText = "UPDATE tblPalletRecords SET OrderNumber = #z, ShipmentNumber = #r WHERE PalletNumber = #x "
cmd2.Parameters.Add("#z", OleDbType.Integer).Value = z
cmd2.Parameters.Add("#r", OleDbType.Integer).Value = r
cmd2.Parameters.Add("#x", OleDbType.Integer).Value = x
conn.Open()
cmd2.ExecuteNonQuery()
conn.Close()
End Using
Using cmd3 As New OleDbCommand("SELECT Status FROM tblPalletRecords WHERE Palletnumber = #x", conn)
cmd3.Parameters.Add("#x", OleDbType.Integer).Value = x
conn.Open()
V2 = CStr(cmd3.ExecuteScalar())
conn.Close()
End Using
Response.Write("<script type=""text/javascript"">alert(""The Status to " & x & " has Changed to " & V2 & """);</script")
Else
Response.Write("<script type=""text/javascript"">alert(""The Pallet is not In Stock to Ship"");</script")
End If
End Using
Catch ex As Exception
'Error handling
End Try
txbSearch.Text = txbPalletNumber.Text
GridView1.DataBind()
End Sub
End Class
You overwrite the value of your commandtext with a select statement before executing the update statement, so it is never run.
You can declare new oledbcommand since the last command overwrite the update command:
Dim cmd2 as New OleDbCommand
'Set the command properties.
cmd.Connection = conn
cmd.CommandText = "SELECT Status FROM tblPalletRecords WHERE Palletnumber = " & x & " "
V1 = cmd.ExecuteScalar()
If V1 = "In Stock" Then
cmd2.CommandText = "UPDATE tblPalletRecords SET OrderNumber = " & z & ", ShipmentNumber = " & r & " WHERE PalletNumber = " & x & " "
cmd.CommandText = "SELECT Status FROM tblPalletRecords WHERE Palletnumber = " & x & " "
V2 = cmd.ExecuteScalar()
Response.Write("<script type=""text/javascript"">alert(""The Status to " & x & " has Changed to " & V2 & """);</script")
Else
Response.Write("<script type=""text/javascript"">alert(""The Pallet is not In Stock to Ship"");</script")
End If
cmd2.ExecuteNonQuery()
conn.Close()
Turn on Option Strict now and for all your projects. Open your connection directly before your execute and close it immediately after. Check with TryParse that you have the correct numeric input. Use Parameters always. It will curtail the disastrous SQL injection and make your SQL statements easier to write. I have added Using..End Using statements. This will take care of Disposing your objects. It will also close your connection if an error occurs before a .Close() method is reached. I would have liked to reuse the x parameter but Access does not care about parameter names, only the order in the SQL statement so I used a new command each time. I have showed how to use Constructors to save a few lines of code; passing the connection string in the connection constructor and passing the CommandText and the Connection directly to the Command construtor. It appeared from your SQL statements, that x, z, and r are all numeric types not strings so I guessed at Integer. You may have to change this, depending on the datatype in the table.
Dim x As Integer
Dim z As Integer
Dim r As Integer
Dim V1 As String
Dim V2 As String
Try
Using conn As New OleDbConnection("Provider=Microsoft.ACE.OLEDB.12.0;Data Source=C:\inetpub\wwwroot\Traceability\Traceability.accdb")
If Not Integer.TryParse(txbPalletNumber.Text, x) Then
MessageBox.Show("Please enter a number for the Pallet.")
Exit Sub
End If
If Not Integer.TryParse(txbOrderNumber.Text, z) Then
MessageBox.Show("Please enter a number for the Order Number.")
Exit Sub
End If
If Not Integer.TryParse(txbShipmentNumber.Text, r) Then
MessageBox.Show("Please enter a number for the Shipment Number.")
Exit Sub
End If
Using cmd As New OleDbCommand("SELECT Status FROM tblPalletRecords WHERE Palletnumber = #x ", conn)
cmd.Parameters.Add("#x", OleDbType.Integer).Value = x
conn.Open()
V1 = CStr(cmd.ExecuteScalar())
conn.Close()
End Using
If V1 = "In Stock" Then
Using cmd2 As New OleDbCommand("UPDATE tblPalletRecords SET OrderNumber = #z, ShipmentNumber = #r WHERE PalletNumber = #x", conn)
cmd2.CommandText = "UPDATE tblPalletRecords SET OrderNumber = #z, ShipmentNumber = #r WHERE PalletNumber = #x "
cmd2.Parameters.Add("#z", OleDbType.Integer).Value = z
cmd2.Parameters.Add("#r", OleDbType.Integer).Value = r
cmd2.Parameters.Add("#x", OleDbType.Integer).Value = x
conn.Open()
cmd2.ExecuteNonQuery()
conn.Close()
End Using
Using cmd3 As New OleDbCommand("SELECT Status FROM tblPalletRecords WHERE Palletnumber = #x", conn)
cmd3.Parameters.Add("#x", OleDbType.Integer).Value = x
conn.Open()
V2 = CStr(cmd3.ExecuteScalar())
conn.Close()
End Using
Response.Write("<script type=""text/javascript"">alert(""The Status to " & x & " has Changed to " & V2 & """);</script")
Else
Response.Write("<script type=""text/javascript"">alert(""The Pallet is not In Stock to Ship"");</script")
End If
End Using
Catch ex As Exception
'Error handling
End Try
You need to learn coding standard first, declaring variables like x,y,z, I haven't seen from quite long time.
You are overwriting cmd.CommandText
cmd.CommandText = "UPDATE tblPalletRecords SET OrderNumber = " & z & ", ShipmentNumber = " & r & " WHERE PalletNumber = " & x & " "
cmd.CommandText = "SELECT Status FROM tblPalletRecords WHERE Palletnumber = " & x & " "
V2 = cmd.ExecuteScalar()
To Fix:
cmd.CommandText = "UPDATE tblPalletRecords SET OrderNumber = " & z & ", ShipmentNumber = " & r & " WHERE PalletNumber = " & x & " "
cmd.ExecuteNonQuery()

how to save all record show in datagridview to the database

i have this code that will save only the top row of the datagridview,
can someone help me to modify this code so that it will save all the row in datagridview. im using vb 2010 and my database is ms access. thankyou in advance.
Try
Dim cnn As New OleDbConnection(conString)
query = "Insert into tblreportlog(EmpID,empname,department,empdate,timeinaM,timeoutam,lateam,timeinpm,timeoutpm,latepm,thw) values ('" & dgvReport.Item(0, dgvReport.CurrentRow.Index).Value & "', '" & dgvReport.Item(1, dgvReport.CurrentRow.Index).Value & "', '" & dgvReport.Item(2, dgvReport.CurrentRow.Index).Value & "','" & dgvReport.Item(3, dgvReport.CurrentRow.Index).Value & "','" & dgvReport.Item(4, dgvReport.CurrentRow.Index).Value & "','" & dgvReport.Item(5, dgvReport.CurrentRow.Index).Value & "','" & dgvReport.Item(6, dgvReport.CurrentRow.Index).Value & "','" & dgvReport.Item(7, dgvReport.CurrentRow.Index).Value & "', '" & dgvReport.Item(8, dgvReport.CurrentRow.Index).Value & "','" & dgvReport.Item(9, dgvReport.CurrentRow.Index).Value & "','" & dgvReport.Item(10, dgvReport.CurrentRow.Index).Value & "')"
cmd = New OleDbCommand(query, cnn)
cnn.Open()
cmd.ExecuteNonQuery()
cnn.Close()
Catch ex As Exception
MsgBox("ERROR: " & ErrorToString(), MsgBoxStyle.Critical)
End Try
Working from what is shown and best practices injected, you should be working from a data source such as a DataTable e.g. if when presented the DataGridView to the user there are no rows then create a new DataTable, set the DataTable as the DataSource of the DataGridView then when you are ready to save these rows in the DataGridView cast the DataSource of the DataGridView to a DataTable and use logic similar to the following
Dim dt As DataTable = CType(DataGridView1.DataSource, DataTable)
If dt.Rows.Count > 0 Then
Using cn As New OleDb.OleDbConnection With {.ConnectionString = "Your connection string"}
' part field list done here
Using cmd As New OleDb.OleDbCommand With
{
.Connection = cn,
.CommandText = "Insert into tblreportlog(EmpID,empname,department) values (#EmpID,#empname,#department)"
}
' TODO - field names, field types
cmd.Parameters.AddRange(
{
{New OleDb.OleDbParameter With {.ParameterName = "#EmpID", .DbType = DbType.Int32}},
{New OleDb.OleDbParameter With {.ParameterName = "#empname", .DbType = DbType.Int32}},
{New OleDb.OleDbParameter With {.ParameterName = "#department", .DbType = DbType.String}}
}
)
Dim Affected As Integer = 0
cn.Open()
Try
For Each row As DataRow In dt.Rows
' this should not be a auto-incrementing key
cmd.Parameters("#EmpID").Value = row.Field(Of Integer)("FieldName goes here")
cmd.Parameters("#empname").Value = row.Field(Of Integer)("FieldName goes here")
cmd.Parameters("#department").Value = row.Field(Of String)("FieldName goes here")
Affected = cmd.ExecuteNonQuery
If Affected <> 1 Then
Console.WriteLine("Error message, insert failed")
End If
Next
Catch ex As Exception
'
' handle exception
'
' for now
MessageBox.Show("Failed with: " & ex.Message)
' decide to continue or not
End Try
End Using
End Using
End If
On the other hand, if there are new rows with current rows we cast the data source as above then check for new rows along with validation as needed.
For Each row As DataRow In dt.Rows
If row.RowState = DataRowState.Added Then
If Not String.IsNullOrWhiteSpace(row.Field(Of String)("CompanyName")) Then
Other options, utilize a DataAdapter or setup data via data wizards in the ide where a BindingNavigator is setup with a save button.
If it's important to get the new primary key back the method for all methods can do this too.
The following code sample is from this MSDN code sample that shows how to get a new key back using OleDb connection and command.
Public Function AddNewRow(ByVal CompanyName As String, ByVal ContactName As String, ByVal ContactTitle As String, ByRef Identfier As Integer) As Boolean
Dim Success As Boolean = True
Try
Using cn As New OleDb.OleDbConnection(Builder.ConnectionString)
Using cmd As New OleDb.OleDbCommand("", cn)
cmd.CommandText = "INSERT INTO Customer (CompanyName,ContactName,ContactTitle) Values (#CompanyName,#ContactName,#ContactTitle)"
cmd.Parameters.AddWithValue("#CompanyName", CompanyName.Trim)
cmd.Parameters.AddWithValue("#ContactName", ContactName.Trim)
cmd.Parameters.AddWithValue("#ContactTitle", ContactTitle.Trim)
cn.Open()
cmd.ExecuteNonQuery()
cmd.CommandText = "Select ##Identity"
Identfier = CInt(cmd.ExecuteScalar)
End Using
End Using
Catch ex As Exception
Success = False
End Try
Return Success
End Function

How to update multiple data to Database?

Does anyone knows how to fix this code to and make it work properly?. I want to update my DB that will get the value in Combo box. Is it possible to update 1 or more value at the same time in DB?
CODE
cmd.CommandText = "UPDATE tblStudent SET (course = '" & ComboBox2.Text & "',section = '" & ComboBox5.Text & "') WHERE yearLevel = '" & yearLevel.Text & "';"
Thanks in advance!!
First, you should use sql-parameters instead of string concatenation to prevent possible sql-injection.
Also, your code already updates multiple records if there are more than one with the same yearLevel.
Dim sql = "UPDATE tblStudent SET course = #course,section = #section WHERE yearLevel = #yearLevel"
Using cmd = New SqlCommand(sql, con)
Dim p1 As New SqlParameter("#course", SqlDbType.VarChar)
p1.Value = ComboBox2.Text
cmd.Parameters.Add(p1)
Dim p2 As New SqlParameter("#course", SqlDbType.VarChar)
p2.Value = ComboBox5.Text
cmd.Parameters.Add(p2)
Dim p3 As New SqlParameter("#course", SqlDbType.Int)
p3.Value = Int32.Parse(yearLevel.Text)
cmd.Parameters.Add(p3)
Dim updatedCount = cmd.ExecuteNonQuery()
End Using
Note that i didn't know the data -type of your columns, so modify it accordingly. I just wanted to show you that it's important to use the correct type in the first place.
This is is for 'INSERTING', however, it can be adapted for 'UPDATING' quite easily:
Dim con As New SqlConnection
Dim cmd As New SqlCommand
Try
con.ConnectionString = "Data Source=atisource;Initial Catalog=BillingSys;Persist Security Info=True;User ID=sa;Password=12345678"
con.Open()
cmd.Connection = con
cmd.CommandText = "INSERT INTO table([field1], [field2]) VALUES([Value1], [Value2])"
cmd.ExecuteNonQuery()
Catch ex As Exception
MessageBox.Show("Error while inserting record on table..." & ex.Message, "Insert Records")
Finally
con.Close()
End Try
source: can be found here
where you have declared field1, and assigned it Combobox2.SelectedValue etc

Search Bar issue, Can not re-search VB 2008

Well I'm creating a search bar to find some patients in my school project, but when I search it works, but when I made another search it sent me the message as if the number dont exist even when it exist, this is the code of the button hope you can help me.
Private Sub cmdIDBuscar_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles cmdBuscarID.Click
Dim sqlCon As New SqlClient.SqlConnection
Dim sqlComm As New SqlClient.SqlCommand
'Ruta de la conección.
sqlCon.ConnectionString = ("Data Source=.\SQLEXPRESS;AttachDbFilename=|DataDirectory|\Sistema para Hospitales.mdf;Integrated Security=True;User Instance=True")
'Instrucción con la que se trabajara.
sqlComm.CommandText = "SELECT * FROM [Pacientes] WHERE IDPaciente= '" & txtID.Text & "';"
'Abrir la coneccion SQL
sqlCon.Open()
Do Until txtID.Text = txtCompararID.Text
Me.PacientesBindingSource.MoveNext()
Exit Do
If EOF(True) Then KryptonMessageBox.Show("Error, no se encontro paciente.", "Error", MessageBoxButtons.AbortRetryIgnore, MessageBoxIcon.Error)
Loop
If txtID.Text = txtCompararID.Text Then
txtNombres.Text = txtCompararN1.Text & " " & txtCompararN2.Text & " " & txtCompararN3.Text
txtApellidos.Text = txtCompararAp1.Text & " " & txtCompararAp2.Text
txtEdad.Text = txtCompararEdad.Text
Select Case txtCompararSexo.Text
Case Is = "F"
txtSexo.Text = "Femenino"
Case Is = "M"
txtSexo.Text = "Masculino"
End Select
Select Case TipoAfiliacionTextBox.Text
Case Is = "1"
txtTAfiliacion.Text = "Cotizante"
Case Is = "2"
txtTAfiliacion.Text = "Beneficiario"
Case Is = "3"
txtTAfiliacion.Text = "Pensionado"
End Select
txtAltura.Text = AlturaTextBox1.Text
txtPeso.Text = PesoTextBox1.Text
txtPresion.Text = PresionTextBox.Text
txtTemperatura.Text = TemperaturaTextBox.Text
Else
KryptonMessageBox.Show("No se encontro el paciente", "Error", MessageBoxButtons.OK, MessageBoxIcon.Error)
End If
End Sub
Among other problems, because you have an Exit Do statement in the middle of your comparison loop, you will probably only ever match the first record since your do loop will execute a maximum of one time.
I am guessing that txtCompararID is databaound to your PacientesBindingSource and that the intent of your loop is move through this binding source until you find the value that matches txtID.
If that is the case, your do loop should look something more like:
' Get back to the top of the list
Me.PacientesBindingSource.MoveFirst()
Do Until txtID.Text = txtCompararID.Text
Me.PacientesBindingSource.MoveNext()
If EOF(True) Then
KryptonMessageBox.Show("Error, no se encontro paciente.", "Error", MessageBoxButtons.AbortRetryIgnore, MessageBoxIcon.Error)
Exit Do
End If
Loop
In addition, you should use Using statements for your connection and command objects so that they are properly closed and disposed of when you are done using them.
For example:
Using sqlCon As New SqlClient.SqlConnection
Using sqlComm As New SqlClient.SqlCommand
... all of your code
End Using
End Using
And finally, and most importantly, you should be using a parameterized query statement in order to prevent SQL injection attacks since you are allowing direct entry of values. This statement:
sqlComm.CommandText = "SELECT * FROM [Pacientes] WHERE IDPaciente= '" & txtID.Text & "';"
should be changed to something like:
sqlComm.CommandText = "SELECT * FROM [Pacientes] WHERE IDPaciente= ?"
sqlComm.Parameters.AddWithValue("IDPaciente", txtID.text)