my $sth = $dbh->prepare("SELECT username, password FROM user WHERE      username = ?");

$sth->execute($username);
# execute substitutes $username in place of the question
# mark above, correctly formatted, with all bad news
# characters removed by the DBI

my @row = $sth->fetchrow;