Ah, in that case:

Placeholders and bind-values are what you should be using. They would prevent the possibility of an SQL injection attack. Even if the semicolon isn't the issue, there are other things user-supplied input could do when interpolated into the middle of an SQL statement. But placeholders eliminate the interpolation, and overcome that issue. While you might not be able to construct an attack with a semicolon, I wouldn't be too confident that you've eliminated all attack vectors. At least with placeholders you can cross the SQL injection attack off the list.