Much grief can occur by trying to assemble an SQL-string in order to insert parameter-values into the statement’s text.   What you should be doing, for a wide variety of “Bobby Tables reasons” is using placeholders ... parameters.   When parameters are substituted, the substitutions are treated as what they are:   variables, not text-strings.

It ought to be fairly easy to adjust this class so that it accepts, not only the SQL that should be executed, but an arrayref of any parameters that need to be substituted into it.   (If there are no parameters, this is ignored.)   Not only is the entire immediate problem solved “for good and for always” in one stroke, but the SQL processing can be made much more efficient, too.   Once you have prepared the query-handle once, you can execute it as many times as you like, with any parameter-values you wish, without re-preparing it (because the SQL text and therefore the execution-plan is no longer changing).