# Interpolated ... bad
my $sql = "insert into hits (browser) values ('$ENV{HTTP_USER_AGENT}')"
$dbh->do($sql);

# Bound ... best

my $sql = "insert into hits (browser) values (?)";
$dbh->do($sql, {}, $ENV{HTTP_USER_AGENT});

# Quoted ... tolerable
my $sql = sprintf "insert into hits (browser) values (%s)", $dbh->quote($ENV{HTTP_USER_AGENT});
$dbh->do($sql);