in reply to security question, mysql, limit, dbi, and placeholders
If you are concerned about the value given to $max_recs1 = param("max_rec"); (which you definitively should be), then you should verify it's contents before using it in your SQL query.
I'd check that the value is an integer value, positive and smaller or equal to some max value you will have to decide. (In your case typically 120. ;-)
Everything went worng, just as foreseen.
In Section
Seekers of Perl Wisdom