DBI's do() method does not use placeholders - it's there specifically for drivers that do not support placeholders.
You should quote any strings in the SQL that you're executing.
You might want to format things a little better so that any errors are easier to find, rather than having a huge block of code (which in this case has two SQL statements).
Edit: what am I talking about? do() does support placeholders.
If the information in this post is inaccurate, or just plain wrong, don't just downvote - please post explaining what's wrong.
That way everyone learns.