If this query is to be used in a DBI environment to get data out of the database, wouldn't it be much safer (and probably easier too) to simply use "?" placeholders?
A program should be light and agile, its subroutines connected like a string of pearls. The spirit and intent of the program should be retained throughout. There should be neither too little or too much, neither needless loops nor useless variables, neither lack of structure nor overwhelming rigidity." - The Tao of Programming, 4.1 - Geoffrey James
My blog: Imperial Deltronics