Use question marks in the CommandText to indicate parameters.
The parameters of the SQL statement or stored procedure. The default value is an empty collection.
When CommandType is set to Text, pass parameters using the question mark placeholder. For example:
SELECT * FROM Customers WHERE ID = ?
The order in which SAParameter objects are added to the SAParameterCollection must directly correspond to the position of
the question mark placeholder for the parameter in the command text.
When the parameters in the collection do not match the requirements of the query to be executed, an error may result or an
exception may be thrown.