Because it helps you not forgetting to call quote() manually. Placeholders are the way to go. When you always use them as your SOP (standard operating procedure), you have already made your code safer.

Unsafe values don't have to come from the attacker directly. They might already be stored in the database, for example by another script that quoted them safely. Now you read the data, DBI "unquotes" the values and when executing another statement with that evil value, you forget to quote it correctly. Bam, you just executed code prepared by the attacker.

That can easily happen when you modify SQL statements and add a column. If you are NOT using placeholders, you will need to remember to call quote() every single time. Forget just once and it's pretty much over. On the other hand, if you use placeholders, this is done automatically for you.

---

---

Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!

Titles consisting of a single word are discouraged, and in most cases are disallowed outright.

Read Where should I post X? if you're not absolutely sure you're posting in the right place.

Please read these before you post! —

• How do I compose an effective node title?
• How do I post a question effectively?
• Markup in the Monastery

Posts may use any of the Perl Monks Approved HTML tags:

a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr

You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)

	For:		Use:
	&		&
	<		&lt;
	>		&gt;
	[		&#91;
	]		&#93;

Link using PerlMonks shortcuts! What shortcuts can I use for linking?

See Writeup Formatting Tips and other pages linked from there for more info.