my $sql = "SELECT column1 FROM table1 WHERE 1=1 ";
my @bind; #this is where your parameters get pushed in and later used in execute() as values for placeholders.
if ($query->param('foo')){
  $sql .= " AND column2 = ? ";
  push @bind, $query->param('foo');
}
if ($query->param('bar')){
  $sql .= " AND column3 = ? ";
  push @bind, $query->param('bar');
}
my $sth = $dbh->prepare($sql);
$sth->execute(@bind);