I always forget to do that, but this is good advice from BigJoe. There are two reasons (probably more) to use bind parameters:
- Preparing your SQL statement once and executing it inside a loop will save you a lot of overhead any time you are repeating the same operation across a range of variables. While a database cache may protect you from shooting yourself in the foot, there is no sense in trusting in that when you can code around it so easily.
- A happy side effect of using the question-mark in the prepare and passing the variable in the execute method is that you don't have to worry about quoting strings and not quoting numbers or dates -- the DBI just takes care of it for you. This can save you considerable grief, or at least I find it does in Oracle.