Also, check the docs to learn the better way of quoting data that's getting inserted into the database. There's a DBI method that does it for you

Well, Abigail already told you what to do here, but I thought some of you might find this funny. I just started a new job, and the first task I imposed upon myself was removing all the instances of the wonderful subroutine sql_quote (AKA quote_for_db, db_quote). Actual code follows:

sub sql_quote {
  my ($entry) = @_;
  $entry =~ s/'/''/g;
  return "'" . $entry . "'";
}
[download]

All indented with tabs, too, and I'm not even going to mention the formatting of the SQL queries.

A useful (IMO) thing for placeholders, not in the DBI docs (at least I don't think it is), is when using  foo LIKE ?. Then you have to put your % or ? in the parameter passed in the execute:

$st->execute("%$bar");
[download]

or whatever.