What can be done to make this SQL into a dangerous SQL?

Now there is a SQL like this:
SELECT * FROM member WHERE username = params LIMIT 1
params is a variable entered by the user, supposeI know all the database table fields and can only execute one SQL statement (executed by the ORM of the project), how to fill in the value of params will become a SQL that is harmful to the database/data table/table data

SELECT * FROM member WHERE username = "params" LIMIT 1
params = '" or (delete * from member) or username="';
The flattening becomes
SELECT * FROM member WHERE username = "" or (delete * from member) or username="" LIMIT 1

But this is a theoretical situation. In fact, most frameworks have some built-in processing, which is not so easy to inject. For example, double quotes in variables are automatically escaped, so that it becomes SELECT * FROM member WHERE username= "\" or (delete * from member) or username=\"" LIMIT 1, then it's harmless.

In simple terms, don't spell SQL yourself, but use the methods provided by the object to deal with it.Isn't php generally $query->from('member')->where('username', params)->fetch().

SQL injection, use precompile to solve