If you use DBI with placeholders in your SQL, you're fairly safe against injection of "evil" code.

I use something like this in my code:

my $id = $cgi->param('user_id');
my $query = $dbh->prepare("SELECT columns FROM users WHERE id = ?");
$query->execute($id);
[download]

Since DBI handles the argument passing for me, the worst thing that can happen is that the type of the URL parameter doesn't match that of the column in the database, and the database handler dies with an error. (But since the user tried to subvert my page, I don't really care).

There is another problem though: You have to store the session. If your sessions live rather long, a malicious user agent could just request pages over and over again, and each time a new session is stored on disk.

The client simply discards the cookie, and your application will happily generate new cookies.

To ward against these kinds of attack you simply have to read your log files on a regular basis.