You shouldn't ever directly include data that is provided by a user in your SQL. It should always be bound, or quoted where binding isn't available.
# Interpolated ... bad
my $sql = "insert into hits (browser) values ('$ENV{HTTP_USER_AGENT}')
+"
$dbh->do($sql);
# Bound ... best
my $sql = "insert into hits (browser) values (?)";
$dbh->do($sql, {}, $ENV{HTTP_USER_AGENT});
# Quoted ... tolerable
my $sql = sprintf "insert into hits (browser) values (%s)", $dbh->quot
+e($ENV{HTTP_USER_AGENT});
$dbh->do($sql);
It is trivial for users to modify their user agent string, never trust users.