Placeholders are the safety net against SQL injection attacks; hence my desire to find a way to use them. But thanks for clarifying the problem; I wasn't explicit enough about the security issue.

Actually, they're only one part of it. The bigger part is the execution of only one statement at a time. Some DBD's will allow you to restrict yourself to one SQL statement per $sth, which is the big win.

---

My criteria for good software:

1. Does it work?
2. Can someone else come in, make a change, and be reasonably certain no bugs were introduced?

That depends. The OP only talks about "the user", he doesn't talk about the environment. If the OP writes a program that's run with the permissions of the user (that is, asking the user for a database user name and password), you don't need to worry about SQL attacks - the program can't do anything the user couldn't do already. If the user has permission to drop the database, he doesn't need your program to drop it. If he doesn't have permission, the program wouldn't give it to him.

Not every program is a web program. And even then, if I were to create a web program where I wanted to let users type in queries, I'd create a database user with only permissions to query - and only query the tables the webusers are allowed to see, and use that user to log in from my web program. That way, you are protecting the data at its source, and you only have to do it once, not for every possible program.