Connections don't have parameters. You could use the OleDbConnectionStringBuilder class to build your connection string.
But for the Command object, yes, always use parameters to avoid SQL injection:
Dim cmd As New OleDb.OleDbCommand("SELECT Name FROM Units WHERE Code = @code", cn)
cmd.Parameters.AddWithValue("@code", search)
Do note that the OleDb library doesn't actually use the @code name signature, it will fill in the parameters in index order, so you could replace @code with just a question mark (?).