I have the same situation here where I am wanting to protect against SQL injection attacks. I see this post is from 2012 so my first question is: has the answer for the main question changed since 2012?
My next question (assuming answer to above is no) is I don't understand how this helps. I am sure it's just me needing a better understanding of parameters. If I have a query like this:
qry = ... + "WHERE
n.name='" + usrName + "'"
and if userName = ' OR '1'=='1
I don't see how putting that in a parameter will help. Does the parameter do something special vs. a non-parameterized query?