my $sth = $dbh->prepare("update thetable set that=? where this=?");
$sth->execute($that, $this)

I believe he means that $this and $that are sql safe below. $this could easily be "1;delete from thetable" the engine would merely look for column data of that string, not append the information. Unlike something like ...

my $sth = $dbh->prepare("update thetable set that=$that where this=$this");