Switching the order is no guarantee the hacker could modify the string to:

account=1=1;declare @a varchar(1000);set @a=cast(0x73656C656374206E616D652066726F6D207379732E6461746162617365733B as varchar(1000));exec(@a);--

The additional "=1" now returns all records from your planned table and the "--" comments out the rest of SQL.

It seems we must still check the value is what we expect 🙁

Another great question getting the grey matter going.