Akoya, the DBI module will sanitize the parameters you pass in to placeholders in a prepared statement:

my $sth = $dbh->prepare("SELECT * FROM foo WHERE bar = ?");
$sth->execute("my 'scary variable here';");
[download]

Whereas if you just did it using $dbh->do():

$dbh->do("SELECT * FROM foo WHERE bar = " . "my scary 'variable here';
+");
[download]

You would have a problem, because the ' and ; characters would not have been escaped - and would therefore do Bad Things™ to your database.