SQL: Use of @ to Avoid SQLInjection

The @ (i.e. @Something) means it’s a parameter that you will supply a value for later in your code. This is the best way of protecting against SQL injection.
Create your query using parameters, rather than concatenating strings and variables.
The database engine puts the parameter value into where the placeholder is, and there is zero chance for SQL injection.