Skeeve's advice on using placeholders is very sensible. However it is not simply a matter of efficiency or elegance but one of security. As your code stands right now it would be a simple matter for some bad person to give the query parameter 'id' a value such as:

1) ; (drop table student
[download]

and your day would begin to take a turn for the worse.

Really you should be checking the values of 'id' you are using for validity and skipping any which are not purely digits. You probably also want to use the -T switch to Perl and DBI's 'Taint' option to cause DBI to croak if it is passed tainted data.

You might have something like this replacing your foreach loop:

my $sql = 'DELETE FROM student where student_id = ?';
my $sth = $dbh->prepare($sql);
foreach my $id ( $cgi->param('id') )
{
    if ( $id =~ /^(\d+)$/ )
    {
        $id = $1;
        $sth->execute($id);
     }
}
[download]

/J\