Does hash values contain quotes?
If it is dependent to the algorithm, I want to know about blowfish using phpass.
I'm asking in regard to SQL injection because I don't want prepare the query for authentication and use place holders, just wrapping the username and password hash in quotes. ( I also have doubt that is username safe when just be validated to only consist of word chars [a-wA-W1-9_] (no quotes or other special chars)? )
Yes, hash values can contain quotes. As well as usernames.
You should also not base your database-interaction on the fragile assumption that they never should have (because you hope so much to not prepare which sounds ridiculous).
Instead make the database query as safe as possible regardless what you assume the data will be. Sometimes things go wrong on some end and you don't want that error stored in your persistence layer nor do you want to offer a potential door for SQL injection.