Ideally you want the prepare statement to have place holders that you can bind variables to with 'execute'. The place holders escape the contents of vars offering some protection against accidental or intentional invalid data.

https://metacpan.org/pod/DBI#Placeholders-and-Bind-Values