my $str = shift;
       my $sql = "SELECT *.... where blablabla = ?";

       my $sth = $dbh->prepare($sql) or die 'Fehler: $DBI::errstr\n";
       $sth->execute($str);