The problem may be that you are passing the command text string into the method as a string - so the actual text passed to SQL as a command could be anything, regardless of how careful the method itself is with using parameters.
It's OK if you call it like this:
ActionQuery("SELECT * FROM MyTable WHERE ID = @ID", ...
But you could equally well do this:
ActionQuery(TextBox1.Text, ...
And that is wide open to SQL injection. I don't think you can solve this problem and keep the current method structure.