Improper neutralization of special elements used in an SQLCOMMAND('sql injection') (CWE ID89)

Hello everyone,
Please help with this SQL Injection flaw of veracode and refer below code.
Description:
This database query contains a SQL injection flaw. The function call constructs a dynamic SQL query using a variable derived from user-supplied input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database.

Recommendations:
Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate user-supplied input to ensure that it conforms to the expected format, using centralized data validation routines when possible.
Source code:
Public Sub AddParameter(ByVal parmName As String, ByVal parmValue As String, _
ByVal parmType As SqlDbType, ByVal parmDirection As Direction, _
Optional ByVal parmSize As Integer = 0)

Dim Parameter As SqlParameter
DIM parms As ArrayList
parmDirection = Direction.input Then
Parameter = New SqlParameter(parmName, parmValue)
Parameter.Direction = ParameterDirection.Input
Parameter.SqlDbType = parmType
parms.Add(Parameter)
End Sub


Public Function Employeenumber(ByVal ENumber As String) As Boolean
Try
DBAccessor = New DBAccessor.DBAccessor
DBAccessor.LookupConnectionString("Sample")
DBAccessor.setCmdText("StoredProcedurename")
DBAccessor.AddParameter("@parametername", Nothing, SqlDbType.VarChar, DBAccessor.DBAccessor.Direction.input)
objDataset = DBAccessor.MakeDBCall
Return True
Catch ex As Exception
Return False
Finally
DBAccessor.CloseConnection()
DBAccessor = Nothing
End Try
End Function


Public Function MakeDBCall() As DataSet

Try

Dim DataSet As DataSet = New DataSet
Dim Command As New SqlCommand

Dim i As Integer
Con = New SqlConnection(connectionString)
'Open connection and set the adapater for a stored procedure.
Con.Open()
Adapter.SelectCommand = Command
Adapter.SelectCommand.Connection = Con
Adapter.SelectCommand.CommandType = CommandType.StoredProcedure'type stored procedure
Adapter.SelectCommand.CommandText = cmdText'StoredProcedure name

'Add parameters
For i = 0 To (parms.Count - 1)
Adapter.SelectCommand.Parameters.Add(parms(i))
Next

Adapter.Fill(DataSet)
Return DataSet

Catch ex As Exception

Return Nothing
End Try

End Function