Syntax for getting input properly escaped through prepared statements:
$query->set('field', 'field + ?', $value)
or
$query->set('field', 'field + ? - ?', array($value1, $value2))
or simply
$query->set('field', '?', $value)
Ticket: 405