my $sth = $dbh->prepare("select * from foo where bar = ?"); $sth->execute($userinput); #### my $sql = sprintf "select * from foo where bar = %s", $dbh->quote($userinput);