You can either concatenate the string with the parameters, but this approach may open you for SQL injection vulnerability.
A better way is to leverage SQL query parameters.
If you use ODBC connection simply replace each parameter in the SQL query with “?”
e.g.
SELECT * FROM tblName WHERE arg1=? and arg2=?
(for SQL Server driver use SELECT * FROM tblName WHERE arg1=@param1_name and arg2=@param2_name
Then create two parameters (Name does not matter for ODBC connection) ordered as in the query.