But some databases accept backslashing as well. And others yet may have who-knows-what special rules. Unless you cover every possible base, an attacker will have a way in.

Quoting your strings manually is an uphill battle, and one you may lose with your next system upgrade. So don’t even try. Use the quoting facilities supplied by the database (or the DBI driver) instead. They’re always complete – and if not, it’s because of someone else’s bug, with the maintenance cost being outside your codebase.

Makeshifts last the longest.