As long as you're using placeholders (and the DBI layer doesn't shortcut them), tehre is no way that data
will leak through as commands
to the database.
Turning on DBI tracing you can see exactly what is happening
<- prepare('select * from foo where bar=?' CODE)= DBI::st=HASH(0x81a25
+74) at testph.pl line 11.
<- execute('plugh' CODE)= 1 at testph.pl line 12.
You can from the trace see how the commands are passed
to the database seprately from the data (using mySQL in this example). The DB is
smart enough to not treat data as executable sql code.