In addition to the enormous security problems other posters have pointed out with
$email, I'd also like to point out that what you're doing with
$username in
$sql is also very bad. Consider using bind variables here. As it's written now, I can put whatever I want into
username and it will be interpreted as raw SQL, which means I can do some potentially nasty stuff with your database.
$sth = $dbh->prepare('select x, y from z where username=?')
or die "prepare: ". $dbh->errstr;
$sth->execute($username) or die "execute: ". $dbh->errstr;