Consider below query , i am passing (--  double dash in username to bypass password)
SqlCommand cmd=new SqlCommand("Select * from users where username=@UserName and Password=@password",con );
Now , i am passing username as Sachin'-- and with password field empty.
According to me , the query now becomes

Select * from users where username='Rajanikant'--' and Password=''
 
As you can see, it seems like i am successfully able to bypaas Password , i just wanted to know how the query is constructed when parameters are used , cause obviously it prevents SQL injection.
Please take the same example and clearify.

Но в медиаторе чаще юзаю голый контекст

Медиатор это типо обертки как я понимаю для возвращения?