> The Perl code passes this string through a regex that checks the name is valid

I think "parse don't validate" doesn't help in this example, but naively the regex would not check whether a name is valid but "extract all parts of the string that are provenly safe".

Which is not reasonable for SQL statements, so someone invented prepared statements.

I think the idea is that the Regex parsing forces the programmer to think about what they're doing with the string and what the requirements for the non-tainted variable are.

For example, a file name string would not allow unescaped directory separators, dots, line breaks, null bytes (I probably got most details wrong here...) and the regex could remove these or extract the substring until the first forbidden character.

Sure, this cannot prevent mistakes.

But the idea, I think, is not to have a variable "safeUserName", instead a "safeDbStatement" one.