Over on Re^6: Splitting the records into multiple worksheets, hippo pointed out the error of my ways and I have been going through some code that's being produced to implement placeholders. Can I please check that I am now on the right lines and doing things better...

I had this line of code...

$dbh->do("INSERT INTO Web_Page SET template = '$request', test = '$tes
+t', source = '$data{'source'}', Visitor_idVisitor = $cookie{'_ls_visi
+t'}") unless $$vars{'testpage'};
[download]

All the variables are generated within the code except $data{'source'} which is derived from the HTTP query string and therefore potentially unsafe.

I have replaced that line of code with this...

unless ($vars->{'testpage'}) {
    my $query = $dbh->prepare("INSERT INTO Web_Page SET template = '$r
+equest', test = '$test', source = ?, Visitor_idVisitor = $cookie{'_ls
+_visit'}");
    $query->execute($data{'source'});
}
[download]

Is that the best approach or should I be using placeholders for every variable, even those I have declared and therefore know are safe?