I see several problems in your script. This string end with ',':

my $user = $query->param("username"),
[download]

I propose to rewrite it to

my $user = $query->param("username") || '';
if ($user) {
...all remaining code...
} else {
 print "No user<br>";
}
[download]

Also use placeholders, or $db_handle->quote. Placeholders are very convinient.