When writing anything bound for CGI use, you should invoke it with the -T (taint) option, as it will tell you what data has been presented by the user, and which operations will be potentally bad (such as what you have above).

CGI.pm has no provisions for this, as it highly recommends staying to the param() function.

A better solution in your case is to create an array of allowed variable names, and then only read variable names from the form that are in this group, eg:

my @safe_vars = qw( name address phone age );
...
@names = $q->param;
foreach $name(@names){
    if ( grep { $_ eq $name } @safe_vars ) {
        $$name=$q->param($name);
        #print $name, ': ', $$name, '<BR>';
    }
}
[download]

(TMTOWTDI, of course, but the general idea is there).

-----------------------------------------------------
Dr. Michael K. Neylon - mneylon-pm@masemware.com || "You've left the lens cap of your mind on again, Pinky" - The Brain