If you are using sqlite (sure looks like it), you do not have to do the string replaces yourself. Use sqlite3_bind_* instead.

bind documentation

There are a lot of benefits from using the APIs from your database provider, so you really shouldn’t avoid them if you can help it. You’ll have better type safety, better protection against injection, and way better performance.

Otherwise, I would use boost::format for this.

std::string sql = "insert into Norm1Tab values ('%1%','%2%');";
boost::format fmt(sql);
std::string stmt = boost::str( fmt % param1 % param2 );

As mentioned by others, you’ll need to clean your params to make sure there aren’t any injection vulnerabilities.

If you don’t, anything with special characters could break it.

char const* param1 = "Joe's House";

It would take some knowledge of the structure to destroy it. As soon as someone saw the error message from the Joe's House, they would probably know that they could do worse.

char const* param1 = "'); DROP Norm1Tab; --";

If you do this consistently, it is only a matter of time before a smart person is going to have your full schema. With sqlite for instance, any injection on a query could get you all the information you needed to quietly modify your records in any way that they wanted.

SELECT * FROM sqlite_master;