my $q = CGI->new();
my $username = $q->param('user');
my $sql = "select * from users where username='$username'"; # BAD BAD BAD