I guess this will only work on untyped languages and where the application isn't checking to see if the value of 'username' is a string

All the more reason to watch your inputs, and assume everything is malicious.