Beware of the false sense of being secured, and instead, be paranoid! You can enver know, how weird ideas other might have to crack your tiny little script...

Although using placeholders is considered to be a good practice, here SQL Injection myths under DBI? you will find an extensive discussion on this topic and a bazillion of ideas on how to crack SQL queries. Pick the one you most like!

I think that it is more of a phylosophical question than a practical one: the point is that one should never ever post production CGI code on public forums!