Adding entries to an MS Access file using OleDB

In the following piece of code I am adding entries to an MS Access file using OleDB. The purpose of this post is to point out my bad programming practices and if I have created any security flaws here. I was reading somewhat about SQL injection attacks, and I wonder if this code might have any potential bugs.

First, it's the AddEntry button in which I am sending a data depending on which type was chosen, and each type has its own SQL query.

private void btnAddEntry_Click(object sender, EventArgs e)
{
    // Multiple level field validations.
    if (cmbType.SelectedIndex != -1)
    {
        if (cmbType.SelectedIndex == 0 &&
            (!string.IsNullOrEmpty(txtUserName.Text.Trim()) &&
            !string.IsNullOrEmpty(txtPassword.Text.Trim())))
        {
            string SQL =
                "INSERT INTO PersonalData([Type], [UserName], [Password]) " +
                "VALUES(@Type, @UserName, @Password)";

            InsertData(SQL);
        }
        else if (cmbType.SelectedIndex == 1 &&
            (!string.IsNullOrEmpty(txtURL.Text.Trim()) &&
            !string.IsNullOrEmpty(txtUserName.Text.Trim()) &&
            !string.IsNullOrEmpty(txtPassword.Text.Trim())))
        {
            // Creating SQL string. Using [] will prevent any erros
            // that might occur if any other names will be reserved words.
            string SQL =
                "INSERT INTO PersonalData([Type], [URL], [UserName], [Password]) " +
                "VALUES(@Type, @URL, @UserName, @Password)";

            InsertData(SQL);
        }
        else if (cmbType.SelectedIndex == 2 &&
            (!string.IsNullOrEmpty(txtSoftwareName.Text.Trim()) &&
            !string.IsNullOrEmpty(txtSerialCode.Text.Trim())))
        {
            // Creating SQL string. Using [] will prevent any erros
            // that might occur if any other names will be reserved words.
            string SQL =
                "INSERT INTO PersonalData([Type], [SoftwareName], [SerialCode]) " +
                "VALUES(@Type, @SoftwareName, @SerialCode)";

            InsertData(SQL);
        }
        else
        {
            lblMessage.Text = "Please fill out all required fields!";
        }
    }
    else
    {
        lblMessage.Text = "Please select a type first!";
    }
}

Secondly, this is actual code which inserts data into the file:

private void InsertData(string sql)
{
    // Initialising encrypting/decrypting file.
    Security security = new Security();

    using (OleDbConnection connection = new OleDbConnection())
    {
        // Creating command object.
        connection.ConnectionString =
            "Provider=Microsoft.ACE.OLEDB.12.0;" +
            "Data Source=" + filePath + ";" +
            "Persist Security Info=False;" +
            "Jet OLEDB:Database Password=" + hashPhrase.ShortHash(pass) + ";";

        using (OleDbCommand command = new OleDbCommand(sql, connection))
        {
            // I need to make sure that I am using correct parameters
            // when using specified combo type. If I wouldn't
            // differenciate between types, then I would end up
            // with empty fields in the database file.
            if (cmbType.SelectedIndex == 0)
            {
                OleDbParameter prmType = new OleDbParameter
                    ("@Type", security.EncryptAES(cmbType.Text, pass, user));
                OleDbParameter prmUserName = new OleDbParameter
                    ("@UserName", security.EncryptAES(txtUserName.Text, pass, user));
                OleDbParameter prmPassword = new OleDbParameter
                    ("@Password", security.EncryptAES(txtPassword.Text, pass, user));

                command.Parameters.Add(prmType);
                command.Parameters.Add(prmUserName);
                command.Parameters.Add(prmPassword);
            }
            else if (cmbType.SelectedIndex == 1)
            {
                OleDbParameter prmType = new OleDbParameter
                    ("@Type", security.EncryptAES(cmbType.Text, pass, user));
                OleDbParameter prmURL = new OleDbParameter
                    ("@URL", security.EncryptAES(txtURL.Text, pass, user));
                OleDbParameter prmUserName = new OleDbParameter
                    ("@UserName", security.EncryptAES(txtUserName.Text, pass, user));
                OleDbParameter prmPassword = new OleDbParameter
                    ("@Password", security.EncryptAES(txtPassword.Text, pass, user));

                command.Parameters.Add(prmType);
                command.Parameters.Add(prmURL);
                command.Parameters.Add(prmUserName);
                command.Parameters.Add(prmPassword);
            }
            else if (cmbType.SelectedIndex == 2)
            {
                OleDbParameter prmType = new OleDbParameter
                    ("@Type", security.EncryptAES(cmbType.Text, pass, user));
                OleDbParameter prmSoftwareName = new OleDbParameter
                    ("@SoftwareName", security.EncryptAES(txtSoftwareName.Text, pass, user));
                OleDbParameter prmSerialCode = new OleDbParameter
                    ("@SerialCode", security.EncryptAES(txtSerialCode.Text, pass, user));

                command.Parameters.Add(prmType);
                command.Parameters.Add(prmSoftwareName);
                command.Parameters.Add(prmSerialCode);
            }

            try
            {
                connection.Open();
                command.ExecuteNonQuery();
            }
            catch (Exception ex)
            {
                MessageBox.Show("Error: " + ex.Message);
            }
        }
    }

    // Refreshing state of main window.
    mainWindow.DisplayFileContent(filePath);

    lblMessage.Text = "Data was successfully added.";

    // Clearing all fields.
    ClearFields();
}