Akoya, the DBI module will sanitize the parameters you pass in to placeholders in a prepared statement:
in reply to Re^3: Cookie login (pseudocode)
in thread Cookie login (pseudocode)
Whereas if you just did it using $dbh->do():
my $sth = $dbh->prepare("SELECT * FROM foo WHERE bar = ?");
$sth->execute("my 'scary variable here';");
You would have a problem, because the ' and ; characters would not have been escaped - and would therefore do Bad Things™ to your database.
$dbh->do("SELECT * FROM foo WHERE bar = " . "my scary 'variable here';