You use placeholders:

$sth = $dbh->prepare('Select @rownum:=@rownum+1 rank, p.* from player 
++p, (SELECT @rownum:=0) r order by score desc limit ?');
# and later
$sth->execute($temp);
[download]

This is generally safer than interpolating variables into SQL strings, and prevents SQL injection attacks.

See also: DBI, and perlop for the rules about string interpolation and escaping.