in reply to Re: Spiking the mySQL parameter
in thread A Matter of Style in CGI

You can rewrite 
$sql_stmnt = "SELECT emp_id, CONCAT(emp_first, ' ', emp_last)
                 FROM sys_main.humans
                 WHERE emp_first LIKE '%$search_text%'
                 OR emp_last LIKE '%$search_text%'";
$sth = $dbh->prepare($sql_stmnt);
$sth->execute();

[download]
as 
$sql_stmnt = "SELECT emp_id, CONCAT(emp_first, ' ', emp_last)
                 FROM sys_main.humans
                 WHERE emp_first LIKE ?
                 OR emp_last LIKE ?";
$sth = $dbh->prepare($sql_stmnt);
$sth->execute("%$search_text%", "%$search_text%");

[download]
and get the benefit of having the values automatically quoted for you.

In Section Seekers of Perl Wisdom