great question. Almost worth another post just to answer it.
If you do a var_dump on the $query variable when you enter the text you suggest you’ll get :

BEGIN :l_count := validate_app_user_fn('HARRY','DUNNO\'); DELETE FROM APP_USERS; COMMIT; DBMS_OUTPUT.PUT_LINE(\''); END;

This generates the error :

ORA-06550: line 1, column 111: PLS-00103: Encountered the symbol "\" when expecting one of the following: ( ) - + case mod new not null others <an identifier> <a double-quoted delimited-identifier> <a bind variable> table avg count current exists max min prior sql stddev sum variance execute multiset the both leading trailing forall merge year month DAY_ hour minute second timezone_hour timezone_minute timezone_region timezone_abbr time timestamp interval date <a string literal with character set specification>

You can get a clearer idea of what’s happening here if we use a shorter string.
So – username = Harry, Password = ‘vain attempt to inject some SQL ‘

BEGIN :l_count := validate_app_user_fn('HARRY','VAIN ATTEMPT TO INJECT SOME SQL\''); END;

Which results in :

ORA-01756: quoted string not properly terminated

Essentially, this is because the database engine recognises the $query value as a PL/SQL block.
It then binds the input variables to the input values for the function. Therefore, whatever values the user enters, they’ll be treated as parameters to the function and nothing else.

What if he puts in
dunno’); delete from app_users; commit; dbms_output.put_line(‘
as the password value ?
Won’t it execute the following ?

BEGIN :l_count := validate_app_user_fn(‘HARRY’,'dunno’); delete from app_users; commit; dbms_output.put_line(”); END;