my $code = $cgi->param("sql_query");
$dbh->do($code);  # This is dangerous.