The poster is already using placeholders, which is guarenteed to quote the inputs (either by the DB itself or by DBI if the DB doesn't support it). And placeholders are always more desirable to use than to place the inputs into the SQL statement itself, even if you quote them.

-----------------------------------------------------
Dr. Michael K. Neylon - mneylon-pm@masemware.com || "You've left the lens cap of your mind on again, Pinky" - The Brain
"I can see my house from here!"
It's not what you know, but knowing how to find it if you don't know that's important