I'm guessing you recieve the user/pass combo from form inputs.

my $dbConnect = DBI->connect ("dbi:mysql:dbName", $name, $pass} || err
+Msg();

sub errMsg
{
    print "Not allowed\n";
}
[download]

No valid passwords in the code this way.
Of course, an SSL handshake makes this even more secure, keeping lurkers/hackers etc from snifting out the correct name/pass combo.