use CGI;

  my $cgi = CGI->new();
  ...
  my $sth = $dbh->prepare($sql);
  $sth->execute($cgi->param('state')) or die ...