If you never include user-supplied data directly in a SQL statement passed to DBI, then yes, you have entirely solved the problem of SQL injection. Placeholders are the tool that lets you do that.