The only problem with interpolating it into the SQL statement is that if it comes from an outside (that is, untrusted) source (as it seems in your examples), then anyone can maliciously or unintentionally include characters that mean things to SQL. For example, imagine someone putting something like this into $mailbox (presumably gotten from the CGI values): "test"; delete from bar;
Comment on Re: mod_perl was hosed by a bind variable
Actually not true, check out what the DBI docs say about such SQL injection attacks:
(In the "General Interface Rules & Caveats" section on this page)
Multiple SQL statements may not be combined in a single statement handle ($sth),
although some databases and drivers do support this (notably Sybase and SQL
Server).
Although this is by no means a reason not to validate your strings before dumping them into a DB.
You have to work harder (for instance put the nasty stuff in a correlated subquery), but MadHatter's point is still fundamentally true. An SQL injection attack can be used to truly devastating effect through well-known techniques that people can easily Google for if they want.