As far I can tell, you tested using only one DBD. You didn't even say which. Since everything you've covered is DBD-specific, what applies to the DBD you used doesn't necessarily apply to another. Why not use bindings or the provided quoting function instead of trying to figure out what else might work. You're only opening yourself to SQL injection attacks if something change in the database or in your configuration.