Thank you for the reminder. In my case, the following points seem pertinent.

1. No one accesses these webpages/queries without logging in, and those logging in are definitely not computer-savvy enough to deliberately inject code such as for dropping tables; much less would they have the desire, seeing as it is their own work at stake.

2. I like that cartoon, and based on seeing that some time back I actually did create a subroutine that sanitizes the query before passing it to the database.

3. I still don't understand how placeholders would be implemented in my case without creating less efficiency in my code--as opposed to streamlining it. Is it not the case that the main purpose is to make the queries run more efficiently?

even ignoring hackers and deliberate wrong input:

as soon as you have legitimate input such as
• person names like O'Brien
• company names like Toys “R” Us (or even the older version Toys Я Us
placeholders are way better than coping with the necessary quoting.

Quotes are escaped. I always thought such was standard procedure.

Blessings,

~Polyglot~

"No one accesses these webpages/queries without logging in, and those logging in are definitely not computer-savvy enough to deliberately inject code such as for dropping tables; much less would they have the desire, seeing as it is their own work at stake."

Don't assume the attack vector, e.g. Cross-site_request_forgery, a user click a specially crafted link in an email, say hello to little Bobby Tables.

Update: how do placeholders and bind variables make things significantly less efficient?

I'm not understanding most of your remarks here, and I'm not sure how they would apply in my case. I don't use cookies, and the pages the visitor accesses are behind a login screen. They are not public, nor would an online search find them indexed.

As for your question, perhaps I would ask one in return: What would be the advantage of using "study" before a hairy regex if that were the only regex expression in the script and it would only be executed once?

My present understanding of placeholders is that they inform the database as to the form or pattern of subsequent queries, essentially providing structure to those queries which are yet to come. But, if this is true, hardly any of my queries will follow the same pattern, and therefore would not be made more efficient by creating a placeholder expression for each one.

Blessings,

~Polyglot~

What is considered the best practice?

Using placeholders is best practice. Arguing against best practices makes no sense.

I'm asking about best practice in the OP. I'm certainly not against best practice. But why is it best practice? 1) For efficiency in the database operations? 2) For security purposes? 3) Because perl culture says so? 4) Other?

I hope it isn't wrong to inquire.

Blessings,

~Polyglot~