To follow up on what BBQ says, it's always a good idea to quote any user input, especially anything arriving from a form, so that someone who enters a logname of "Jack's Giant House o' Pancakes!" won't throw an error. Another way (besides placeholders) to do this is to use the quote function. Once you have an active db handle (e.g. $dbh) just use $dbh->quote("string") and it will return a quoted version. For example, your script could read:

my $logname=$dbh->quote($query->param('log'));
my $passwd=$dbh->quote(query->param('pass'));
[download]

For most databases, this means that a single apostrophe becomes a double apostrophe (among other things) and the string is now "safe" to pass to the database.