You should always plan to use it with CGI scripts

The trick to untaint data, as far as I am aware, is to ensure your data is correct . i.e. do data validation. Usually this means using (tight) regexps to ensure the user input doesn't go outside expected bounds.

From what I have read, if you are entering anything into a db then you might want to SQL-escape it too so that people can't hijack your database and delete everything.

HTML::Entites will help display stuff that might otherwise break your web page - what's left that can beak your db?

"If you are entering anything into a db then you might want to SQL-escape it too so that people can't hijack your database"

By using placeholders, right?

I'm so adjective, I verb nouns!

chomp; # nom nom nom

What are placeholders in DBI, and why would I want to use them? doesn't seem to indicate that the fields are escaped in any way ... but they might be.

You might want to read this and read the docs on $dbh->prepare() and $dbh->quote()

It can do much more damage than just break your web page...
• http://en.wikipedia.org/wiki/Cross-site_scripting
• Preventing XSS
And yes - you should always use placeholders in your SQL.

---

Have you tried freelancing? Check out Scriptlance - I work there. For more info about Scriptlance and freelancing in general check out my home node.

I would always use placeholders simply for the speed increase they offer, but does the use of them imply the placeholder content is, for want of a better phrase, SQL-escaped for the actual DB in use?

My scan of the documentation didn't find that information for placeholders but seemed to imply that $db->quote() might. I would like to know for sure if placeholders also perform this function.