SQL Query not working -- operator missing

I've looked though more SQL proble开发者_运维技巧ms than I care to count but nothing seems to be working for this particular issue. I'm running a SELECT query against an access database in C# using the following code:

DateTime starttime = new DateTime(2011, 9, 4);
DateTime endtime = new DateTime(2011, 9, 10);

cmd.CommandText = @"SELECT ACT_ENTRY2CASE,ACT_ENTRY2USER FROM SA_TABLE_ACT_ENTRY WHERE ENTRY_TIME>" + starttime + @" AND ENTRY_TIME<" + endtime + @" AND ACT_ENTRY2CASE IS NOT NULL";
reader = cmd.ExecuteReader();

I get the error:

Syntax error (missing operator) in query expression 'ENTRY_TIME>9/4/2011 12:00:00 AM AND ENTRY_TIME<9/10/2011 12:00:00 AM AND ACT_ENTRY2CASE IS NOT NULL'.

I have tried surrounding my variables with various things (parentheses, ' marks, [], etc). Nothing seems to make it work (although with some of those items the error changes to something to the effect of "missing or invalid parameter".

I'm sure it's a matter of some dumb little typo on my part but I can't find it for the life of me. Any ideas?

---

First of all, your code is vulnerable to SQL Injection.

Your should parametrize your query. Here is "teh codez":

cmd.CommandText = @"
   SELECT ACT_ENTRY2CASE,ACT_ENTRY2USER 
   FROM SA_TABLE_ACT_ENTRY 
   WHERE ENTRY_TIME> @starttime 
   AND ENTRY_TIME< @endtime 
   AND ACT_ENTRY2CASE IS NOT NULL";

cmd.Parameters.AddWithValue("@starttime", starttime);
cmd.Parameters.AddWithValue("@endtime ", endtime );

reader = cmd.ExecuteReader();

---

You need to either put your starttime and endtime within quotations (if you just have a string representation of date in your database) or use To_Date() sql function to convert your dates to a sql date object...

However it's always best to parameterize your sql to make it safe and to raise performance.

---

I don't know if it is all of the problem, but I think you need to have your dates in quotes. You may have tried this and missed one, which would give you mismatched quotes.