Perhaps more important - because it's a bit more subtle - is that you should NEVER directly interpolate user input into SQL. Don't do things like:

$dbh->do("UPDATE mytable SET foo='$wossname' WHERE bar='$otherwossname'");

Where $wossname comes straight from a HTML form, because at some point, a nasty fellow like me will provide a value like:

you are screwed';DELETE FROM mytable;

which is the classic SQL injection attack. *That's* why placeholders are so good, but even with placeholders, you need to validate user input so that you don't try to update a user's date of birth with "grapefruit".