Consider:

my $sql = "select blargh from foo where bar = '".$bar_value."'";
my $bar_value = param('bar');
my $sth = $dbh->prepare($sql);
[download]

Then someone enters in the form for 'bar':

"somevalue'
union
select blech from some_really_big_table
where some_unindexed_column = 'blah"
#or
"somevalue'
and some_field in
(select field
from some_other_really big table)
and bar = 'somevalue"
[download]

This won't corrupt your database (unless maybe you run out of temp space and something horrible happens), but you'll at least be spending more CPU cycles than you expected...

------------
ooo  O\O  ooo tilly was here :,(