The text "select * from tblpayroll where empid = userid" will be sent through exactly as is to the SQL back end, the userid part will not be substituted. So, unless you have a userid column, you’ll probably get an error. Even if you do have a userid column, the results won’t be what you expect.

What you need to do depends on whether userid is a numeric or string value. For numerics, you can use:

"select * from tblpayroll where empid = " & CStr(userid)

This will first turn the numeric value into a string and check it as-is.

For string values, use:

"select * from tblpayroll where empid = '" & userid & "'"

This will simply surround the string with quotes to ensure a string comparison works. You need to be aware that this is a bad idea if userid has not been sanitised somehow – it may lead to SQL injection attacks. The art of fixing that is outside the scope of this particular question but it’s worth keeping in mind.

What to do if your variable is numeric but the database field is a string is another matter. You can do it with CStr and zero-padding but, since it’s an unlikely scenario, I haven’t documented it here.