Let's say you used to do this:

  my $c_first = $query->param('c_first');
  my $c_address = $query->param('c_address');

  my $sql = "SELECT id FROM names WHERE first = '$c_first'";
  my $sth = $dbh->prepare( $sql );
  if ( $sth && $sth->execute() ) {
    while ( my $row = $sth->fetchrow_arrayref() ) {
      print( "$c_first => " . $row->[0] . "\n" );
    }
    $sth->finish();
  }
[download]

You can now do this:

  my $sql = "SELECT id FROM names WHERE first = ?";
  my $sth = $dbh->prepare( $sql );
  if ( $sth && $sth->execute( $c_first ) ) {
    while ( my $row = $sth->fetchrow_arrayref() ) {
      print( "$c_first => " . $row->[0] . "\n" );
    }
    $sth->finish();
  }
[download]

This is a common and often preferred method. You can have more than one question mark in the SQL command and put the variable names as arguments to the $sth->execute() function. Note that you don't put quote marks around the question marks in the SQL string.

Alternatively you can do this:

  $c_first = $dbh->quote( $c_first ); # make O'Brian safe

  my $sql = "SELECT id FROM names WHERE first = $c_first";
  my $sth = $dbh->prepare( $sql );
  if ( $sth && $sth->execute() ) {
    while ( my $row = $sth->fetchrow_arrayref() ) {
      print( "$c_first => " . $row->[0] . "\n" );
    }
    $sth->finish();
  }
[download]

Note the absense of quote marks around the variable in the SQL statement. $dbh->quote()ing the variable automatically puts quote marks around the string.