Everything that expects a string to be in a certain format is "susceptible to injection", since an injection bug is simply another term for incorrectly constructing a string.

Since do expects SQL, it is susceptible to being provided incorrectly-built SQL, or susceptible to injection bugs as you put it.

(Same goes for eval EXPR, qr//, decode_json, printf, etc)

Example of a bug:

my $sql = qq{
   insert into customers
   ( id, name )
   values
   ( '$id', '$name' )   -- XXX BUG
};

$dbh->do( $sql );
[download]

We can fix the bug by properly building the SQL statement.

my $id_sql   = $dbh->quote( $id );
my $name_sql = $dbh->quote( $name );

my $sql = qq{
   insert into customers
   ( id, name )
   values
   ( $id_sql, $name_sql )
};

$dbh->do( $sql );
[download]

It's simpler using placeholders.

my $sql = qq{
   insert into customers
   ( id, name )
   values
   ( ?, ? )
};

$dbh->do( $sql, undef, $id, $name );
[download]