use CGI qw( escape );
#[...]
if (isset($HTTP_POST_VARS)) {
    while (list ($header, $value) = each ($HTTP_POST_VARS)) { 
        $QSTRING = $QSTRING.'&'.$header.'='.escape($value);
    }                       # I added this: ^^^^^^^      ^
}