Yes, do it exactly as you suggested... except you really should use bound parameters to avoid SQL injection attacks. Alternately you can use DBI's quote method
Something like this:
my $sql = q{UPDATE now_time SET time= NOW(), location=?, count=count+1
+ WHERE ip=?};
$dbh->do($sql,{}, $ENV{HTTP_REFERER}, $userip)
or die $dbh->errstr;