I need to make my code immune from SQL injection attacks and any other vulnerabilities. I tried to filter out any malicious characters where people could do harm but this is my first script I made myself and I'm not sure if it's safe. Can I get any recommendations on making it hacker proof? 
#!/usr/bin/perl

use DBI;
use CGI;
#use CGI::Carp qw(fatalsToBrowser);

read(STDIN, $buffer, $ENV{'CONTENT_LENGTH'});
@pairs = split(/&/, $buffer);
foreach $pair (@pairs) {
        ($name, $value) = split(/=/, $pair);
        $value =~ tr/+/ /;
        $value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
             $value =~ s/\;|\<|\>|\?|\n|\f|\r|\\|\|//g; #Clean harmful
+ characters.
                $value =~ s/'/\\'/g; #replace all ' with /'
                $value =~ s/"/\\"/g; #replace all " with /"
                if ($INPUT{$name}) { $INPUT{$name} = $INPUT{$name}.","
+.$value; }
        else { $INPUT{$name} = $value; }
      $value =~ s/<!--(.|\n)*-->//g;
}


###########################Begin Get Date#############################
+##########
#Defines arrays for the day of the week and month of the year.
    @days   = ('Sunday','Monday','Tuesday','Wednesday',
               'Thursday','Friday','Saturday');
    @months = ('January','February','March','April','May','June','July
+',
                 'August','September','October','November','December')
+;

    # Get the current time and format the hour, minutes and seconds.  
+Add
    # 1900 to the year to get the full 4 digit year.
    ($sec,$min,$hour,$mday,$mon,$year,$wday) = (localtime(time))[0,1,2
+,3,4,5,6];
    $time = sprintf("%02d:%02d:%02d",$hour,$min,$sec);
    $year += 1900;

    # Format the date.
    $date = "$days[$wday], $months[$mon] $mday, $year at $time";

#print "$days[$wday], $months[$mon] $mday, $year at $time";
######################################################################
+##########


##Set Technology######################################################
+####
# If technology type isn't selected, it needs to be set to false.
if (!$INPUT{'radar'}) {$INPUT{'radar'} = "false"};
if (!$INPUT{'laser'}) {$INPUT{'laser'} = "false"};
if (!$INPUT{'vascar'}) {$INPUT{'vascar'} = "false"};
if (!$INPUT{'airplane'}) {$INPUT{'airplane'} = "false"};
if (!$INPUT{'photo'}) {$INPUT{'photo'} = "false"};
if (!$INPUT{'roadblock'}) {$INPUT{'roadblock'} = "false"};
if (!$INPUT{'unknown'}) {$INPUT{'unknown'} = "false"};
######################################################################
+##########


##Start database connections##########################################
+##########
$database = "database";
$db_server = "localhost";
$user = "user";
$password = "password";

##Connect to database, insert statement, & disconnect ################
+##########
$dbh = DBI->connect("DBI:mysql:$database:$db_server", $user, $password
+);

$statement = "INSERT INTO speedtrap (state, city, locationname, refere
+ncename, lat_deg, lat_min, lat_sec, long_deg, long_min, long_sec, xco
+ord, ycoord, ttime, level, radar, laser, vascar, airplane, photo, roa
+dblock, unknown, comments, email, name, date_added) VALUES ('".$INPUT
+{'state'} ."', '".$INPUT{'city'} ."','".$INPUT{'locationname'} . "','
+".$INPUT{'referencename'} ."','".$INPUT{'lat_deg'} ."','".$INPUT{'lat
+_min'} ."','".$INPUT{'lat_sec'} ."','".$INPUT{'long_deg'} ."', '".$IN
+PUT{'long_min'} ."', '".$INPUT{'long_sec'} ."','".$INPUT{'xcoord'} ."
+','".$INPUT{'ycoord'} ."','".$INPUT{'ttime'} ."', '".$INPUT{'level'} 
+."', '".$INPUT{'radar'} ."','".$INPUT{'laser'} ."', '".$INPUT{'vascar
+'} ."', '".$INPUT{'airplane'} ."','".$INPUT{'photo'} ."', '".$INPUT{'
+roadblock'} ."', '".$INPUT{'unknown'} ."', '".$INPUT{'comments'} ."',
+'".$INPUT{'email'} ."', '".$INPUT{'name'} . "','" . $date."')";

$sth = $dbh->prepare($statement) or die "Couldn't prepare the query: $
+sth->errstr";

$rv = $sth->execute or die "Couldn't execute query: $dbh->errstr";

$rc = $sth->finish;
$rc = $dbh->disconnect;
######################################################################
+##########



$query = new CGI;

print $query->redirect('http://www.yourname.com/index.html');

[download]

In reply to Hacker Proofing My First Script by awohld

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.