also AFAIK, DBI executes whatever you tell him to, there's no "prevents SQL injection"

That's right, but only half the truth. DBI does offer a very simple interface to bind parameters, making it very easy to write code that never interpolates values into SQL strings, thus preventing SQL injections.