my $sql = "SELECT  * FROM user WHERE user = ?";
my $sth = $dbh->prepare($sql);
$sth->execute($user);