Burepalli V S Rao,
You have a valid point, I did tested it if you replace single quote with a double quote then indeed your code is harmless
if you **do not** then it is subjected to SQL injection shown below with an example
in the example you posted
if the actual textbox username entry is
' ; DROP DATABASE pubs --
your query will become
select count(*) from Users where username=''; DROP DATABASE pubs --'
The; (semicolon) character tells SQL that this is the end of the current statement, which is then followed by the following malicious SQL code.
; DROP DATABASE pubs
Finally, the -- (double dash) sequence of characters is a SQL comment that tells SQL to ignore the rest of the text. In this case, SQL ignores the closing ' (single quotation mark) character, which would otherwise cause a SQL parser error.
But if you escape single quote with double quote then it will throw SQL parser error which will prevent malicious code to be executed.