You are going down the right lines, personally I have a factory that caches the SQL files and checks the last modified date, but it's doing what you are doing:
string script = File.ReadAllText(_serverPath + sqlName + ".sql");
using (SqlConnection conn = new SqlConnection(ConnString))
{
conn.Open();
using (SqlCommand sqlCmd = new SqlCommand(script, conn))
{
sqlCmd.CommandType = CommandType.Text;
sqlCmd.Parameters.AddWithValue("@CompanyGuid", CompanyGuid);
sqlCmd.ExecuteNonQuery();
}
}
You then have a SQL text file with the parameter prefixed with the @ symbol:
SELECT * FROM tblCompany WHERE CompanyGuid = @CompanyGuid