is there a way to check query after parameters are applied?

Question

Consider below query , i am passing (-- double dash in username to bypass password)

SqlCommand cmd=new SqlCommand("Select * from users where username=@UserName and Password=@password",con );

Now, i am passing username as Sachin'-- and with password field empty.

According to me , the query now becomes

Select * from users where username='Sachin'--' and Password=''

As you can see, it seems like i am successfully able to bypaas Password , i just wanted to know how the query is constructed when parameters are used , cause obviously it prevents SQL injection.

Please take the same example and clearify.

Sachin Singh · Answer

Testing with Sql profile reveals the hidden logic the result is @UserName = N 'Sachin' '--' , @ Password = N 'xyz' the single apostrophe becomes double apostrophe and so the whole query becomes Select * from Users where UserName= 'Sachin' '--' and Password = 'XYZ' In this way it prevents Sql Injection attack.

Sachin Singh · Answer

@Aman Gupta I already tested with that it is producing below results select * from Users where UserName= 'Sachin' --' and Password='' The same as i have guessed , then how is it safely preventing SQL injection.

Sachin Singh · Answer

@Amit sir, It is executing with no errors , however it is returning null. and leave empty password consider wrong password then what do you say on this sir?

Amit Gupta · Answer

It is obviously done behind the scence but I believe that it first check (mandatory) the parameters are passed or not, if you bypass using --(comment) then it will fail to execute it. So, it avoid injection.