All GET/POST form values go into %FORM into BML, but
on critical actions. GET requests can be easily spoofed, or hidden in
Never read in arbitrary amounts of input.
Never use unsanitized data in a command or SQL.
DBI placeholders (question marks), also known as
bound parameters. This helps protect from SQL injection, and aids
querying efficiency. Use
$dbh->quote() when necessary
(usually placeholders are fine).