Personally, a lack-of-support for placeholders would be a deal-breaker. It'd be sufficient, on its own, to warrant the dumping of that module and the search for a different module, or the ground-up writing of a new one, if need be. Injection attacks are not the only problem solved by placeholders, though, again, all on its own, it's sufficient cause for any database-interfacing module to support them. If the author of the module is not aware enough of this to simply allow binding of variables through their interface into DBI, then I would be concerned about everything else. (Which, of course, is not to say that allowing placeholders would be sufficient to draw the conclusion that they're a DB expert.)