my $sql = "select blargh from foo where bar = '".$bar_value."'";
my $bar_value = param('bar');
my $sth = $dbh->prepare($sql);