##
my $sql = "SELECT city FROM table WHERE state = ?";
my $sth = $dbh->prepare($sql);
$dbh->execute($FORM{state});
####
1; drop table database
####
use CGI;
my $cgi = CGI->new();
...
my $sth = $dbh->prepare($sql);
$sth->execute($cgi->param('state')) or die ...