tainting
ssl
warnings
use strict
form checking every inputted variable
cgi.pm to disallow uploads and to have a certain max length to avoid DOS
mysql queries using placeholders and/ or having = '$taint_input'
mysql user passwords using md5      
session management using md5 session code  (cgi::session)
mysql is password protected (password is not shown in any perl scripts)