Liz,

Actually I was concerned about this exact issue recently after reading an article on SQL injection tricks. I did some research and found that DBI (by default) does not support multiple SQL statements in a single statement. This can be overridden by the DBI driver though. Here is a quote from the DBI documentation:

(In the "General Interface Rules & Caveats" section on this page)

Multiple SQL statements may not be combined in a single statement handle ($sth), although some databases and drivers do support this (notably Sybase and SQL Server).

Of course this is not excuse for not being a good paranoid programmer, but its nice to know anyway.

-stvn