The error is in how you are constructing $sql (which you don't show). Most likely you are taking parameters from the CGI request and interpolate them into your SQL like this:

my $q = CGI->new();
my $username = $q->param('user');
my $sql = "select * from users where username='$username'"; # BAD BAD 
+BAD
[download]

You should never interpolate data from outside of your program into SQL or other things passed to other libraries. In this case, you should learn about and use DBI placeholders:

my $sql = "select * from users where username=?"; # GOOD
my $sth_user = $dbh->prepare_cached($sql)
    or die "can't prepare SQL:" . $dbh->errstr();
$sth_user->execute( $username );
[download]

You should also make sure that your $username corresponds to what you expect. See perltaint for how to check and how to untaint.