If you want to pass potentially insecure variables to SQL commands using DBI, placeholders are arguably the best choice. If you can't or don't want to use placeholders (some DBD drivers do not support them), read up on DBI's quote method.