Why or how parameterized queries prevent SQL injection?

Question

Lets say I want to read user data from a table when user provides username and password.

My plain text query looks like this:

select * from Users where UserName = '{THIS WILL BE PROVIDED BY USER}' and Password = '{THIS WILL BE PROVIDED BY USER}';

Now I use SQL parameters to prevent SQL injection problem with the aforementioned query:

SqlCommand command = new SqlCommand();
        command.CommandText = $"select * from Users where UserName = @UserName and Password = @Password";
        command.Connection = connection;

        SqlParameter parameter = new SqlParameter("@UserName", SqlDbType.NVarChar);
        parameter.Value = "{THIS WILL BE PROVIDED BY USER}";
        command.Parameters.Add(parameter);

        SqlParameter parameter2 = new SqlParameter("@Password", SqlDbType.NVarChar);
        parameter2.Value = "{THIS WILL BE PROVIDED BY USER}";
        command.Parameters.Add(parameter2);

If I use the typical value like this ' OR 1=1 -- to reproduce the SQL injection, it does not work with parameterized query.

Why parameterized queries are able to prevent SQL injection?

Though query is parameterized, eventually it has to be turned into a "usual" query at the time of execution. When we are setting the malicious value for a parameter, why does not it take effect?

What happens under the hood?

[This answer](https://stackoverflow.com/a/58419045/285587) will give you the idea — Your Common Sense, Oct 17 '19 at 11:23
Actually, this answer is significantly better. https://stackoverflow.com/questions/4892166/how-does-sqlparameter-prevent-sql-injection — The Muffin Man, Oct 17 '19 at 11:29

Why or how parameterized queries prevent SQL injection?

0 Answers0