"If so, I'm thinking this should just be standard practice for any and all DB transactions that pass user input to an sql statement."
Perhaps. But consider other languages such as PHP that don't have placeholders. I find that the standard practice is to use id's wherever you can -- such as a drop down boxes of items. Don't pass the value of the drop down -- pass in the id number for that value and translate it back before you issue your query.
my $id = $q->param( 'start_date_id' );
my $date = $dates[$id]; # etc. maybe add real validation
my $sth = $dbh->prepare( 'SELECT this FROM that WHERE date = ?' );
$sth->execute( $date );