当参数化时，连接的nHibernate查询会改变行为

我看到一个行为与nHibernate，我不理解。我们在代码库中发现了许多SQL注入漏洞。我的任务是参数化查询。我使用NHProf来检查原始查询和参数化查询之间的差异。

原始的连接查询:

string sql = "select IM.Item from ItemCompanyMapping IM where IM.Item.ItemType = " + itemTypeID + " and IM.Item.Active = 1 and IM.Company = '" + companyID + "'";
return _NHibernateSessionManager.GetSession().CreateQuery(sql).List<Item>();

生成如下SQL:

select item1_.ID                     as ID21_,
       item1_.ItemType               as ItemType21_,
       item1_.ItemNum                as ItemNum21_,
       item1_.ItemName               as ItemName21_,
       item1_.UPCCode                as UPCCode21_,
       item1_.ItemStatusID           as ItemStat6_21_,
       item1_.InvAccount             as InvAccount21_,
       item1_.SalesAccount           as SalesAcc8_21_,
       item1_.COGSAccount            as COGSAcco9_21_,
       item1_.SpecialOrder           as Special10_21_,
       item1_.Active                 as Active21_,
       item1_.LastCost               as LastCost21_,
       item1_.AvgCost                as AvgCost21_,
       item1_.ItemGroup              as ItemGroup21_,
       item1_.GroupFlag              as GroupFlag21_,
       item1_.Replenish              as Replenish21_,
       item1_.AllowZeroRetail        as AllowZe17_21_,
       item1_.DateAdded              as DateAdded21_,
       item1_.PriceChangeDate        as PriceCh19_21_,
       item1_.StatusChangeDate       as StatusC20_21_,
       item1_.SectionNumber          as Section21_21_,
       item1_1_.PosDesc              as PosDesc23_,
       item1_1_.PosView              as PosView23_,
       item1_1_.Vieword              as Vieword23_,
       item1_1_.LabCode1             as LabCode5_23_,
       item1_1_.LabCode2             as LabCode6_23_,
       item1_1_.FinityCode           as Finit7_23_,
       item1_2_.Description          as Descript2_24_,
       item1_2_.ViewOrder            as ViewOrder24_,
       item1_2_.LabCode1             as LabCode4_24_,
       item1_2_.LabCode2             as LabCode5_24_,
       item1_2_.FinityCode2          as Finity6_24_,
       item1_3_.PosDesc              as PosDesc25_,
       item1_3_.PosView              as PosView25_,
       item1_3_.Vieword              as Vieword25_,
       item1_3_.LabCode1             as LabCode5_25_,
       item1_3_.LabCode2             as LabCode6_25_,
      case
         when item1_1_.ItemID is not null then 1
         when item1_2_.ItemID is not null then 2
         when item1_3_.ItemID is not null then 3
         when item1_4_.ItemID is not null then 4
         when item1_5_.ItemID is not null then 5
         when item1_6_.ItemID is not null then 6
         when item1_7_.ItemID is not null then 7
         when item1_8_.ItemID is not null then 8
         when item1_9_.ItemID is not null then 9
         when item1_10_.ItemID is not null then 10
         when item1_11_.ItemID is not null then 11
         when item1_12_.ItemID is not null then 12
         when item1_13_.ItemID is not null then 13
         when item1_.ID is not null then 0
       end                           as clazz_
from   ItemCompanyMapping itemcompan0_
       inner join Item item1_
         on itemcompan0_.ItemID = item1_.ID
       left outer join ItemTint item1_1_
         on item1_.ID = item1_1_.ItemID
       left outer join ItemCoat item1_2_
         on item1_.ID = item1_2_.ItemID
       left outer join ItemEdge item1_3_
         on item1_.ID = item1_3_.ItemID
       left outer join ItemMisc item1_4_
         on item1_.ID = item1_4_.ItemID
       left outer join ItemFrame item1_5_
         on item1_.ID = item1_5_.ItemID
       left outer join ItemEGColor item1_6_
         on item1_.ID = item1_6_.ItemID
       left outer join ItemEGMaterial item1_7_
         on item1_.ID = item1_7_.ItemID
       left outer join ItemEGStyle item1_8_
         on item1_.ID = item1_8_.ItemID
       left outer join ItemEGType item1_9_
         on item1_.ID = item1_9_.ItemID
       left outer join ItemEGLens item1_10_
         on item1_.ID = item1_10_.ItemID
       left outer join ItemCL item1_11_
         on item1_.ID = item1_11_.ItemID
       left outer join ItemExam item1_12_
         on item1_.ID = item1_12_.ItemID
       left outer join ItemContactLens item1_13_
         on item1_.ID = item1_13_.ItemID,
       Item item2_
where  itemcompan0_.ItemID = item2_.ID
       and item2_.ItemType = 3
       and item2_.Active = 1
       and itemcompan0_.CompanyID = 'RSN'

参数化查询时:

const string sql2 = "select IM.Item from ItemCompanyMapping IM where IM.Item.ItemType = :itemTypeID and IM.Item.Active = 1 and IM.Company = :companyID";
return _NHibernateSessionManager.GetSession()
    .CreateQuery(sql2)
        .SetParameter("itemTypeID", itemTypeID)
        .SetParameter("companyID", companyID)
    .List<Item>();

生成的sql是非常不同的:

select IM.Item
from   ItemCompanyMapping IM
where  IM.Item.ItemType = 3 /* @p0 */
       and IM.Item.Active = 1
       and IM.Company = 'RSN' /* @p1 */

我怀疑原始查询正在使用Item.hbm.xml来生成sql查询。我感到困惑的是，为什么参数化查询不使用相同的技术来生成sql?