You have a mistaken notion of how parameterized queries work. The "parsed text" you speak of is never created, and parameter values are never substituted directly into the query string.
That's why it's so important to use parameterized queries — you have complete segregation of query data from query code. Data is data, code is code, and never the twain shall meet. Thus, there is no possibility for sql injection.
What it means is that if you have a CommandText like this:
SELECT SomeColumn FROM SomeTable WHERE ID= @ID
instead of ultimately running a query that looks like this:
SELECT SomeColumn FROM SomeTable WHERE ID= 123
you actually run something more like this:
DECLARE @ID Int
Set @ID = RetrieveQueryDataItem("@ID")
SELECT SomeColumn FROM SomeTable WHERE ID= @ID
Now, this isn't exactly what happens; the engine doesn't transform the code like that. Instead, it uses the sp_executesql procedure. But this should help you understand what's going on.
与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…