#!/usr/bin/perl -wT
use strict;
use CGI;

# clean your environment
BEGIN { $ENV{PATH} = '/usr/bin:/usr/local/bin'; }

my $useradd = '/full/path/to/useradd';
my( $site_count, $username ); # and so on...

# get input, which will be tainted...
# my $username = $CGI->param('username');

# untaint input
#   for instance, username is 1 to 12 word characters
if( $username =~ /^(\w{1,12})$/ ) { $username = $1 }
# and so on...

# now call system, with list of arguments to bypass shell
system( 
  $useradd, 
  qq|-c "fullname"|,
  qq|-d /home/sites/site$site_count/users/$username|,
  qq|-g site$site_count|,
  qq|and so on...|,
) and error( "oh, i didn't expect that! $!" );