"SELECT COUNT(*) AS MyCount from members WHERE ID = " + @WF_ID;
This is not a parameterized query at all. You just concatenated the value to your SQL string.
"SELECT COUNT(*) AS MyCount from members WHERE ID = @WF_ID";
This would make it use your parameter.