my $q = CGI->new();
my $username = $q->param('user');
my $sql = "select * from users where username='$username'"; # BAD BAD BAD

##</code><code>##

my $sql = "select * from users where username=?"; # GOOD
my $sth_user = $dbh->prepare_cached($sql)
    or die "can't prepare SQL:" . $dbh->errstr();
$sth_user->execute( $username );