I know placeholders and those hold their place quite well..
Unfortunately I haven't seen any real performance or other improves with those. (Only in repetitive task.)
Those are good, if you want in some strange reason to put binary-stuff to db or do same insert many times etc.

Usually quote is enough with a bit of sanity-check like ~/^\d+/.
Ofc one have to be aware of sql-injection and not only depend audition where someone else is trying to hack into system.

Actually I made once geocaching-mystery, which includes sql-injection and it was quite hard, cause I learnt to avoid those.

This approach, which I chosen is a test, in which I try to different direction.
Ofc I could use pre-made queries with placeholder and all that jazz, but clients needs are changing and I can't foresee any of those different variations they might need.
I'll be ending to do lots of different variations of queries beforehand and when need arices I have to do the needed one, cause I cannot anticipate their needs exactly.

I'll be quite sure, that only I'll do those queries.
It'll be quite like changing code afterwards, but quicker and easier.

And yes, access to those queries is quite limited.
Ofc it's hackable, cause everything is, but then whole system is compromised, like source-code and database.