my $sql = '.... = ' . $dbh->quote( $cgi->param('user') );