Thank you for the article. It is eye opening for me. Our company user name first letter of the first name and last name + one random number they generate. so I think the validation should be just special character. Also I do not understand why you said replace single quota with double quota.

SELECT * FROM [Login] where [User] = "test";

It will not returen any data. It have Invalid column name 'test' error.