>>I'm not expert in Access, but you should continue to use the question marks. That makes the values parameters. Concatenating user content into SQL commands is the classic newbie mistake that leads to SQL Injection Attacks.
>
>As long as her home development computer is not acting as a publicly available web server the probability of an SQL Injection attack is 0.

A SQL Injection attack is when a piece of SQL is injected into any SQL sent to a database server. It is not limited to the web.