Limiting myself to the first four problems that jumped out at me: 1) you don't use warnings 2) you don't use strict 3) you don't use CGI.pm to read the parametrs 4) you don't use placeholders in your DBI statements (and that, is really really important when it comes to SQL injection).

I'd advise you to do some reading (there are many good tutorials here, search for security or CGI or DBI).

update : added link around the word tutorials, thanks PodMaster :-)