It's difficult to see what you intend, precisely. So I am going to offer just these impressions: 1. You seem to expect that the effect of supplying parameter values for a parameterized SQL statement, (ultimately held internally as a parsed statement object, representing the structure of your SQL), to show up as the text you wrote with the parameters substituted. It does not work that way. 2. You claim an intent to avoid SQL injection woes, yet you concatenate inputs to your code (that you excerpted) with some SQL-fragments, and submit the result to the SQLite SQL parser as a statement. I do not see enough of your code (after presumably ridding it of the would-be-parameterized table name) to venture what you are doing wrong now. But I think your expectation needs adjustment. Read up on what parameterization does and how that is supported in Data.SQLite (which I assume you are using.) Then, I suspect, you will be able to write the C# that makes happen what you rightly think can happen and want to happen. If not, more questions are welcome, if they are on-topic here.