One good thing that has come out of this discussion is that I understand web security better now. I've developed an internal web app for my department and now that I've got it up and running with just dbh->quote()ing everything possible I think I'll start to bind up my db queries. I have to let my users input backslashes and other potentially dangerous stuff because of the nature of the data.