without further checks as to its format

If I do that, I'm doomed, so I won't do that. There's taint mode, and untainting.

Header checking, parameter validation and untainting has to happen (and in a reasonable setup happens) before any database query.

So what if I “inject” that?

You can do that only if I let you. My CGISESSIONID matches /^[0-9A-z]{32}$/; if what you are trying to inject doesn't conform to that, you're out. Matching a nonsensical cookie against that pattern won't execute anything.

Then, for database queries, I use DBI and placeholders, so no SQL injection here either.

_($_=" "x(1<<5)."?\n".q·/)Oo.  G°\        /
                              /\_¯/(q    /
----------------------------  \__(m.====·.(_("always off the crowd"))."·
");sub _{s./.($e="'Itrs `mnsgdq Gdbj O`qkdq")=~y/"-y/#-z/;$e.e && print}