MichaelR wrote:And the fourth parameter of str_replace() simply defines the variable which will reference the number of replacements.
Oh, you're right. I recalled str_replace() being capable of limiting replacements. Anyway, if criticism is okay to you, I have formed my thoughts.
I wouldn't call your class secure. It's also buggy. For example, it throws backslashes in front of % and _ characters. That easily corrupts data. You probably thought about the meta characters that MySQL has for LIKE expression (and maybe something else too). You should realize though that this affects negatively everything else. Besides, it only escapes _ and % not \. Worse yet, it does that after escaping values, and without any given character set (so it uses ISO-8859-1 in PHP 5, and Unicode in PHP 6) which often luckily works though.
And then, to emulate prepared statements, you keep replacing contents of expressions iteratively which easily leads to vulnerabilities and errors. The whole thing should be tokenized and then parsed per token. It's also not good to alter data after escaping it, because it also easily leads to vulnerabilities. And in the end, you transform your data again which is bad, too.
And as always, a system cannot be called secure if there are no written tests for it and if it has not been thoroughly evaluated by other security conscious people.
Anyway, security is an area fun to play with, so have fun!