my $username = $query->('username');
# Do some input validation if necessary

# DBI code
my $sql = "SELECT * FROM users WHERE username = ?";
...
$sth->execute($username);

##</code><code>##

SELECT * FROM users WHERE username = 'PotPieMan; DROP TABLE users';