my $SQL    = "SELECT username, password FROM user WHERE username =     '$username'";
my @row;
@row = $dbh->selectrow_array($SQL);

##</code><code>##

my $sth = $dbh->prepare("SELECT username, password FROM user WHERE      username = ?");

$sth->execute($username);
# execute substitutes $username in place of the question
# mark above, correctly formatted, with all bad news
# characters removed by the DBI

my @row = $sth->fetchrow;