Thanks Dave. Yeah - I've been using placeholders & bind-variables, but did wonder about the need for those given my findings with DBI not allowing multiple statements, but you've semi-answered that, so thanks!
Well for one thing a malicious user could supply the necessary values for interpolation, and in the last value, close the parents and continue on with an inner join that is constructed to reveal what you never intended to reveal, or to consume tons of resources. Imagine a chain of "order by".