# Connect to the database: my $dbh = DBI->connect($dsn, $username, $password); # Prepare a statement using '?' placeholder: my $sth = $dbh->prepare(<<"SQL"); select * from table where something = ? and something_else = ? SQL # Now supply the arguments - they will be properly escaped: $sth->execute( $some_value, $another_value ); # We have avoided SQL Injection and can process our results: while( my $record = $sth->fetchrow_hashref ) { # Process $record: } $sth->finish(); $dbh->disconnect();