Switching the order is no guarantee the hacker could modify the string to:
account=1=1;declare @a varchar(1000);set @a=cast(0x73656C656374206E616D652066726F6D207379732E6461746162617365733B as varchar(1000));exec(@a);--
The additional "=1" now returns all records from your planned table and the "--" comments out the rest of SQL.
It seems we must still check the value is what we expect 🙁
Another great question getting the grey matter going.