This supposes that ProvidedUsername is placed as is, from the user input, in the SQL statement. This should not be used in a program. Either the string is a constant, and literal is ok, or a variable and it is passed as a variable (parmeter, bind variable...) to a prepare statement and there's no possibility to change the semantic of the query.