I highly reccomend using the DBI's ? substitution operator unless you know that $xvar, $yvar or $zvar don't contain any meta characters. But you should use them anyway, since that's what they're made for ;)

A short explanation:

When sending a query to the DBI, you can use the ? character and the arguments to C<exec()> to have the contents being substituted be checked for what may otherwise be considered metacharacters (characters that mean something other than themselves, eg ' (begin/end string), % (mysql's glob character), & (the conjunction character), etc.).

Here's an example:

my $query = "SELECT * FROM lala WHERE moomoo = ?";
my $sth = $dbh->prepare($query);
# at this point, the query string is parsed, and discovers
# that there is one substituion.  The DBI will require one
# argument to the C<exec()> function and complain if it
# doesn't see one.

foreach my $moomoo_val ( @vals ){

  # Note that the query is now cached, and can be
  # re-C<execute()>'d as many times as you wish.
  $sth->execute($moomoo_val);

  while(my $row = $sth->fetchrow_hashref){
    print( join("\t", vals %$row), "\n" );
  }
}
[download]

(this code not tested, and yes, I know the same thing could be acheived with less code.)