my $sth = $dbh->prepare(<<SQL);
    SELECT (foo,bar,baz) 
    FROM dta
    WHERE (user = ? AND position < ?)
SQL

my $user = $q->param('user');
my $position = $q->param('position');
$sth->execute($user, $position);