While I do agree with you, working on the SQL aspect is not a possibility in this case. It also first appeared that invoking any external code only when its outcome will be meaningful is more appropriate and easier to do. And if Stefan suggestion works, it would then be true.
In any case, it does appear illogical to request 4-5 times the same query (independentely of their time taken to execute) to an SQL database and discard its result each time based on a username that is not yet validated (not the inner-tunnel username) and may not be the correct one.