I'd like to subject to some SQL injection tests

Why?

FWIW, https://github.com/evolvethinking/delta_reporting/blob/master/app/lib/DeltaR/Query.pm does have some weird things, like fake-oo with fake-globals, not using placeholders ...