Thank you Franck for your response.

It is true that prepared statements prevent this type of attack from occurring. However, not all developers follow this practice. Even worse, some careless developers might neglect sanitizing user input, and place user provided input as is in the SQL statement. As I mentioned in the introduction, this attack can be effective on websites "that do not implement secure coding practices".

I used 'ProvidedUsername' and 'ProvidedPassword' for the sake of simplicity. This story is aimed towards beginners and I didn't want to overwhelm the reader with variables (which differ from one language to another). I don't suppose that every reader would know PHP or any other server-side language, so I just used these two plain strings as placeholders for whatever input the user provides.