Any time you are using data provided by a user in a query you need to be mindful of SQL Injection. Users are bad people and can't ever be trusted.

You should always use bound parameters when possible, and DBI::quote when it isn't.