a example demonstrates how to use command parameters-
SqlConnection conn = new SqlConnection(_connection.ConnectionString);
cmd = new SqlCommand("INSERT INTO Topics " +
" (UserId, Tid, Subject, Posted, Fid) " +
" Values(@UserId, @Tid, @Subject, @Posted)", conn);
cmd.Parameters.Add("UserId", SqlDbType.VarChar, 255).Value = UserId;
cmd.Parameters.Add("Tid", SqlDbType.Int).Value = CurTopicId + 1;
cmd.Parameters.Add("Subject", SqlDbType.VarChar, 255).Value = TopicSubjectText;
cmd.Parameters.Add("Posted", SqlDbType.DateTime).Value = System.DateTime.Now;
try
{
conn.Open();
cmd.ExecuteNonQuery();
}