michellem,

It's probably not coming from $email but from $ENV{PATH}. (When running under taint mode, all command-line arguments, environment variables, and file input are marked as tainted). You can check the taintedness of variables with Devel::Peek and see what the "magic" is set to.

use Devel::Peek;
...
my $username = param( username );
Dump( $username );
my $sql = "select ...... LIKE '$username'";
Dump( $sql );
...
Dump( $email );
Dump( $ENV{PATH} );
[download]

You should see something like this for $username and $sql and $ENV{PATH}.

SV = PVMG(0x81f8890) at 0x8159bec
  REFCNT = 1
  FLAGS = (GMG,SMG,pPOK)
  IV = 0
  NV = 0
  PV = 0x81f3630 "scooby"\0
  CUR = 6
  LEN = 80
  MAGIC = 0x81f3688
    MG_VIRTUAL = &PL_vtbl_taint
    MG_TYPE = 't'
    MG_LEN = 1
[download]

that MG_TYPE of 't' is showing this scalar is tainted. I would be suprised to see that $email is tainted.

-derby