In an ideal situation, you would use a stored procedure to parametrize the process so that you protect yourself from injection attacks. Your DBAccess class should have a method that executes the call to that procedure and your business class object should call the DBAccess class to get the data inserted.
BUSINESS calls DBAccess calls StoredProc inserts Data
If you absolutely have to write sql. You should do that in the DBAccess object, but by all means scrub the data values before creating the sql to send to the db.