...
 $dbh = DBI->connect(...);
 $sql = sprintf "SELECT name FROM users WHERE name=%s AND passwd=%s",
           $dbh->quote($bad_name), 
           $dbh->quote($bad_pass);

 ...