My random snippets of advice:

• Use taint mode (the -T flag). This makes it much harder to shoot yourself in the foot with many types of injection attacks. Look at the options in the DBI module that will allow you to treat SQL data as tainted and SQL statements as dangerous.
• Put your CGI scripts outside of a public_html area, if possible. Just in a cgi-bin directory is fine. Otherwise a small mistake could allow the script's source to be viewed, which could be dangerous if it contains passwords.
• Put your Perl modules in another directory altogether (I call mine cgi-lib), so they can't be executed on their own from cgi-bin or viewed in a public_html directory.
• Make your scripts with passwords readable only by the user the Web server runs as and by you, if possible. This reduces the circumstances under which the passwords can be viewed.
• Make sure the user the Web server runs doesn't have permission to write anywhere that could be executed, including areas where execution could be turned on in an .htaccess file. That can allow a "write to the filesystem" bug to escalate to a "full control of your Web site" bug.