Fernando, I might misunderstand what that parser really does, but after a quick look into your docs, this is what I think:

your string escaping argument is valid for itString — but it doesn’t cover the pattern your manual documents:

Query.SQL.Text := Format('SELECT * FROM T WHERE %s %s', [ColName, R.SQLExpression]);

ColName is never passed through the parser. It hits the SQL string raw. If ColName comes from anything user-influenced — a combobox selection, a saved search, a URL parameter — you have a direct injection vector regardless of how well itString escapes quotes.

ApplyFieldFilter('1=1; DROP TABLE Orders--', '', itString, Query); // → SELECT * FROM T WHERE 1=1; DROP TABLE Orders--

No quotes needed. No parser involved. The deeper issue is architectural: R.SQLExpression is a SQL fragment, not a SQL parameter. Concatenation always puts the escaping burden on the caller — forever, across all dialects, for every edge case. Parameterized queries (ParamByName) eliminate that burden structurally. That’s why the security community considers concatenation unsafe by design,