Always use placeholders! In addition to the security benefits, it has performance benefits on databases that use server-side prepared handles, and allows you to use prepare_cached() more effectively (which gives performance benefits on all databases). Anyone who hasn't read them should check out Tim Bunce's DBI talk slides.