I'm dipping my toes into the waters of sql.pkg, and I can't for the life of me figure out how to parameterize queries.

I have some obviously dangerous code:

Code:
Get CreateSQLmanager to hoSQLMngr
Get SQLFileConnect of hoSQLMngr Customer.File_number to hdbc
Get SQLOpen of hdbc to hstmt


move "bobby's unescaped name" to sName
move "SELECT COUNT(*) as 'total' from incident where incident.name = '?'" to sQuery


//here's where it gets dangerous
move (replaces("?",sQuery,sName)) to sQuery

Send SQLExecDirect of hstmt
Apart from manually sanitizing sName, how do I parametrize this? Is it possible to parameterize SQL queries via sql.pkg?
If I can't parameterize this, then is there a standard escape function? I can find nothing in the help, or in sql.pkg.