Assuming you aren't doing anything really weird anyway, like passing a table name as a get argument to a script or something.
The whole point of using placeholders or $dbh->quote is that you don't trust anything that comes from the client to actually be valid. If you want to be sure that you aren't vulnerable to SQL injection attacks, or cross site scripting attacks, or probably a whole lot of other things, you can do sanity checks on anything you're getting from the client. adam -----Original Message----- From: Octavian Rasnita [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 15, 2005 2:19 PM To: Ian Joyce; Adam Prime x443 Cc: Mod-Perl ((E-mail)) Subject: Re: securing web form interaction Hi, I usually use placeholders in DBI. Is this enough for avoiding SQL injections? I have made a simple test and I have seen that it seems to be enough, but... I am not sure. Thanks. Teddy