How do I re-write a SQL query as a parameterized query?

Question

I have heard that I can prevent SQL injection attacks by using parameterized queries, but I do not know how to write them.

How would I write the following as a param

Answer 1

instead of comboBox1.Text use parameters like @firma

command.Parameters.Add("@firma", SqlDbType.Varchar);
command.Parameters["@firma"].Value = comboBox1.Text;

 query += " AND firma = @firma ";

apply this to all parameters