if you want to be fairly sure that your code is SQL injection safe against typical attacks, then you should use typical attacks to test with. Most hackers use an up-to-date bundle of tricks, typically already in a script, to try to cause harm...and don't bother hand hacking. As such, the trivial test cases presented do not represent a typical SQL injection hackers bundle, by any stretch of imagination.
in reply to Preventing SQL injection attacks: Placeholders are enough for MySQL, Postgresql and SQLite
also, to help prevent SQL injection...normally you also untaint the data by an inclusion regex. e.g.
..and never untaint by disallowing banned characters instead. you never know if your banned character list is complete.
bad_input() if($cityname !~ /^[a-zA-Z .,]+$/);
the hardest line to type correctly is: stty erase ^H