in reply to Web form security

Your method of importing variables is maybe not the best way to go about things. from CGI's POD :
IMPORTING ALL PARAMETERS INTO A NAMESPACE: $query->import_names('R'); This creates a series of variables in the 'R' namespace. For example, $R::foo, @R:foo. For keyword lists, a variable @R::keywords will appear. If no namespace is given, this method will assume 'Q'. WARNING: don't import anything into 'main'; this is a major security risk!!!! In older versions, this method was called import(). As of version 2.20, this name has been removed completely to avoid conflict with the built-in Perl module import operator.
And, looking in CGI's source code (v. 2.74), we see the following inside of import_name : 
    # protect against silly names
    ($var = $param)=~tr/a-zA-Z0-9_/_/c;
    $var =~ s/^(?=\d)/_/;

[download]
which will only check the validity of the parameter's name; its value may still be malicious in some fashion. See perlsec for more on dealing with this type of 'tainted' data.

In Section Seekers of Perl Wisdom