.Internet, Java along with other higher level database API's in a variety of language frequently provide techniques referred to as prepared claims and parameter binding instead of delivering plain text instructions towards the Database server. What I must know is exactly what occurs when you perform statement such as this:

SqlCommand cmd = new SqlCommand("GetMemberByID");
cmd.CommandType = CommandType.StoredProcedure;
SqlParameter param = new SqlParameter("@ID", memberID);
para.DbType = DbType.Integer;
cmd.Parameters.Add(param);

I understand it is really an best-practise, SQL injection attacks are reduced by doing this. But just what happens under to hood whenever you execute these claims? May be the finish result still a SQL safe string? Or what's the finish result? And it is this enough to avoid SQL injection attacks?

The MySQL manual page on prepared claims provides plenty of information (that ought to apply holiday to a RDBMS): http://dev.mysql.com/doc/refman/5.0/en/c-api-prepared-statements.html

Essentially, your statement is parsed and processed in advance, and also the parameters are sent individually rather than being handled together with the SQL code. This removes SQL-injection attacks since the SQL is parsed prior to the parameters are even set.

If you are using MS SQL, stock up the profiler and you will see what SQL claims are produced if you use parameterised queries. Here's a good example (I am using Enterprise Libary 3.1, however the results are identical using SqlParameters directly) against SQL Server 2005:

string sql = "SELECT * FROM tblDomains WHERE DomainName = @DomName AND DomainID = @Did";
Database db = DatabaseFactory.CreateDatabase();
using(DbCommand cmd = db.GetSqlStringCommand(sql))
{
  db.AddInParameter(cmd, "DomName", DbType.String, "xxxxx.net");
  db.AddInParameter(cmd, "Did", DbType.Int32, 500204);

  DataSet ds = db.ExecuteDataSet(cmd);
}

This creates:

exec sp[underscore]executesql N'SELECT * FROM tblDomains WHERE DomainName = @DomName AND DomainID = @Did',
  N'@DomName nvarchar(9),
  @Did int',
  @DomName=N'xxxxx.net',
  @Did=500204

You may also see here, if quotation figures were passed as parameters, they're steered clear of accordingly:

db.AddInParameter(cmd, "DomName", DbType.String, "'xxxxx.net");

exec sp[underscore]executesql N'SELECT * FROM tblDomains WHERE DomainName = @DomName AND DomainID = @Did',
  N'@DomName nvarchar(10),
  @Did int',
  @DomName=N'''xxxxx.net',
  @Did=500204

in layman terms: if your prepared statement is distributed then your DB uses an agenda if it's available, it does not not need to recreate an agenda each time this question is distributed over only the values from the params have transformed. this is much like how procs work, the extra benefit with procs is you can give permission through procs only and never towards the underlying tables whatsoever