sub do_auth_check
{
  # get self object and CGI query object
  my $self = shift;
  my $q = $self->query();
  
  # get user info from cookies
  my($uname,$pwd) = ( $q->cookie('username'), $q->cookie('password') );
  warn($uname.':'.$pwd); # DEBUG use only
  
  # build command
  my $com = 'env QUERY_STRING=username='.$uname.'\;password='.$pwd.' /usr/bin/custom_auth_tool';
  warn('running command "'.$com.'"'); # DEBUG use only
  
  # run command through a pipe
  open(WEBOS,"$com|");
  $com = join('', <WEBOS>);
  close(WEBOS);
  
  # remove newlines (should also take care of tainting, IIRC)
  $com =~ s/\x0D?\x0A//g;
  
  warn('ran command "'.$com.'"'); # DEBUG use only
  return $com;
}

##</code><code>##

evan:password at AppTest.pm line 554.
running command "env QUERY_STRING=username=evan\;password=password /usr/bin/custom_auth_tool" at AppTest.pm line 561.
ran command: "" at AppTest.pm line 566.

##</code><code>##

#!perl

use strict;
use CGI;

my $q = new CGI;

my $uname = $q->cookie('username');
my $pwd = $q->cookie('password');

my $com = 'env QUERY_STRING=username='.$uname.'\;password='.$pwd.' /usr/bin/custom_auth_tool';

print "Content-Type: text/plain\n\n",
      "Command:\n$com\n\n";

open(WEBOS,"$com|");
$com = join('', <WEBOS>);
close(WEBOS);

print "Result:\n$com\n\n";

##</code><code>##

Command:
env QUERY_STRING=username=evan\;password=password /usr/bin/custom_auth_tool

Result:
user evan authenticated