Nice work (although the outcome is not unexpected ;).
in reply to Preventing SQL injection attacks: Placeholders are enough for MySQL, Postgresql and SQLite
There are other potential security risks, though. For example if you use an ORM mapper (like DBIx::Class or Rose::DB) and construct a complicated query, you have to know exactly which arguments are parsed as SQL and which aren't.
But if you really stick to plain DBI with placeholders you don't have to worry very much about SQL injection.
You still have to consider possible DoS attacks, but that's usually not as bad as SQL injection.