string strSQL = "INSERT INTO Mytable (Code, inputdata) VALUES ('1234', ?)";
OleDbCommand myCommand = new OleDbCommand(strSQL, OleDbConn1);
myCommand.Parameters.Add("@mydata", OleDbType.VarChar, 6);
myCommand.Parameters["@mydata"].Value = inputdat.Text;Notice it's not doing any strSQL += type stuff. That's concatenation, and that's usually where injection can sneak in. You want valid SQL statements encapsulated in a single string.
Even if concatenation yields the same result, it's still safer to reduce or eliminate its use. It's an ounce of prevention during coding. If you never concatenate, you almost guarantee against injection.