I agree completely with ajt's worries about the security of what you're doing, but I'd also like to raise a couple of points about your use of CGI.pm.

CGI.pm has two APIs - an object oriented interface and a functional interface. Although the majority of references seem to use the OO interface, I think that the functional interface is simpler to use.

In the functional interface you import a set of functions into your program's namespace. You do this by passing optional arguments into the use CGI statement like this:

use CGI qw(:standard);
[download]

:standard defines a particular set of functions that will cover most of your CGI needs. Having imported the functions you can just use them without having to create an object. Like this:

use CGI qw(:standard);

my $name = param('name');
print header, start_html, h1('Test Page');
print p("The name is $name");
print end_html;
[download]

On the other hand, if you use the OO interface you need to create a CGI object and then access all of the functions thru that object. Like this:

use CGI;

my $q = CGI-new;

my $name = $q->param('name');
print $q->header, $q->start_html, $q->h1('Test Page');
print $q->p("The name is $name");
print $q->end_html;
[download]

It's not that much more typing, but I think that the functional version looks neater.

I mention this, because you use the functional way of loading CGI.pm but then go on to use the OO interface thoughout your script. This shows that you may be slightly confused.

Oh, and one more thing about the OO interface. Using syntax like:

my $q = new CGI;

instead of

my $q = CGI->new;

Is going to work fine 999 times out of a 1000, but it can occasionally lead to very hard to track down bugs. Read what Damian Conway says about the indirect object syntax in Object Oriented Perl for a full description of the problems.

Blessed Be
The Pixel