I've read that when passing parameters to the commandtext method for the IDbcommand object I shouldn't build the command string as

Code:
command.CommandText = _
"SELECT * FROM CUSTOMERS WHERE CITY = '" & _
inputCity + "'";
but instead use the SqlParameter object as this is more secure

Code:
command.CommandText = _
"SELECT * FROM CUSTOMERS WHERE CITY =@City"
my question is, why is this more secure because surely I'm assigning a string value to my parameter anyway. Are the two methods majorly different?