If you continue to use plain vanilla DBI, you should use parameter binding, e.g. $sql="SELECT foo FROM bar WHERE id=? ..."; $sth = $dbh->prepare($sql); $sth->bind_param(1,$id), but of course, TMTOWTDI with DBI.

Not only could you reuse your prepared statements (e.g. $sth->execute(@params) again and again), it'll protect against SQL injection.