Not sure I'm reading the code correctly--I guess that the commented code is actually in use, called by this line
sql = o_Qry_UserRights.qry_getUserRights(SessionCheck.s_sessiondpintind, SessionCheck.s_sessionusergroupid, Module_Name);
What is the OracleConnect class? I'd guess you're not using it correctly to set the parameters. Are you sure there are methods in that class named Parameter_String and Parameter_Int32 that take the name of a parameter and its value and *add* a parameter to something like an OracleCommand object?
All that's beyond the point, however, because even presuming that your OracleConnect class is creating a command object and that the parameter methods work correctly, you're calling that method while you build a SQL string, and then promptly disposing of your instance of OracleConnect and whatever command object it's created. All you pass back from qry_getUserRights is the SQL string, so all your parameters are lost.
By the way, why are you using OracleConnect to get your SQL string, and then OledbConnect to actually execute it (and is OledbConnect another custom class)? Is this really Oracle?
Using Oracle.DataAccess.dll (an Oracle library), I'd do something like this, which assumes an array of parameters and includes a count of items to include in the parameters (code quickly converted from VB, so might not be completely accurate):
OracleConnection conn = New OracleConnection(connectString);
OracleCommand cmd = New OracleCommand(sql, conn);
cmd.Connection.Open();
if (myParams != null && myParams.Length > 0)
{
cmd.ArrayBindCount = recordCount;
for (int i = 0; i < myParams.Length; i++)
{
cmd.Parameters.Add(myParams[i]);
}
}
OracleDataReader r = cmd.ExecuteReader();