Placeholders are *instead* of quoteing. Change:

$sth_m->execute('?', '$year-$mon-$mday', '$INPUT{'user'}'...

to

$sth_m->execute(?,"$year-$mon-$mday", $INPUT{'user'}...

And if $INPUT{'user'} is directly from a CGI form or outside input, be sure to untaint it before using it in a SQL statement. See perlsec on taining.

and what is $year-$mon-$day, a concatentation of variables into a string? If so, it should be "$year-mon-dy" in the exectute() - those are double perl quotes to interpolote the variables, not single SQL quote to delimite a vlaue.

Updated removed the ? from the execute since grinder is right that is the autoincrement which is done automatically. Added double quotes aroung $year-month-day to make it match what I said below it about needing the double quotes to interpolate the variable ... thanks bart for pointing out my sloppiness.