The next thing I can see to do is to look through the ZC code for the db class and see how queries under mysqli_ style calls are handled. It may be that some query preparation needs to be performed although it appears that none of the data into EP4 really is subject to malicious action. Hmm, maybe the query in line 171 where the single quotes are used need to be escaped for the query to work? Or the single quotes removed from around the returned variable(s). Although I had already suggested hard coding the query (not using variables) to see if that would be successful, not directly to you, but as an attempted solution.)

Not being able to reproduce the issue makes it difficult to suggest solutions. Between the time of it working and now when it doesn't, nothing was added to the cart code? No template changes? Anything that could cause something to load as a part of kicking off the code that could interfere or modify the expected response(s) of the system?