An injection attack results in a valid SQL statement (or multiple valid SQL statements). You can't check a query for an injection attack. Fortunately, there are two ways of sidestepping the problem.

Use bind to specify arguments instead of building the query string from user input.

Alternatively, use $dbh->quote to escape user data when building a query string from user input.

Both of these functions are documented in DBI.

By the way, the name of the language is "Perl", not "PERL".