You are on the wrong track because you have made an incorrect assumption that the user cannot modify the value, when all you are really proving is that a non-malicious user cannot trivially modify or malform the value.
These are two very different things.
There are, in reality, no valid exceptions to using prepared statements. It's a genuine tragedy how many tutorials and examples show building SQL statements with string concatenation. This should not be done. There are scenarios where it is "theoretically" safe, but this should not be part of your thinking process.
Even if you got the data from your own database, you still cannot trust it and you do not need to be thinking about whether or not a value is subject to SQL injection, because the answer is always "yes."
The only question is how difficult the exploit would be and how many layers of indirection might be involved.
Malicious users do not usually use your application the way you intend. As noted in comments, command line tools like curl
can be used to submit requests to your server that would be indistinguishable from requests sent by a browser. Everything coming in from the client is especially suspect, but even information that isn't from outside should be assumed to be potentially dangerous.