protecting against malicious sql injection

I have a bunch of perl CGIs that take params and use their values in various DBI mySql queries.

Is there any 开发者_如何学Goway that a malicious user can do harm (or steal data) from my system if I don't allow any user submitted values that contain the words select, insert, delete, or update to be used as parameters and as long as I wrap all the varchar user provided values in single quotes?

I realize this question is very similar to others asked, but the others all seem to point to various PHP solutions, and I'm not using PHP, so, please forgive the redundancy, or point me to an associated question that answers this specific question.

The correct way to handle this in Perl use to use placeholders in all your SQL queries. Passing user-supplied data via DBI placeholders will ensure that everything is properly quoted. (That doesn't guarantee that it's secure, of course, but it will prevent SQL injection.)

Use parameterized queries. Then the user input is not part of the command at all, which is the only reliable way to know the command won't be modified.