Use the regex to untaint the user-entered string:

my $GOOD_NAME = qr/^(us\w*)/i;

my ( $accepted_name ) = $entered_un =~ /$GOOD_NAME/
    or die "Unacceptable input: $entered_un";

$sql = "select name, pass from unpw where name = '$accepted_name'";
[download]