Yes, this is right. By convention we're only using the $tcl_var form for SQL snippets. For Tcl values use the :tcl_var form, which gets set to a bindvar in the Oracle driver and surrounded by single quotes in the PG driver, both of which provide protection against "smuggled SQL" exploits.