A big security hole is not using placeholders. Always use placeholders or a dbi->quote(), or else untainted values can really mess up the database.