(Not directly related to your question) Using CGI and DBI without Taint is asking for trouble. You are taking $user out of the environment and stuffing it straight into your database query, without so much as a sanity check or placeholders.