The variables you give after the ? are usually send as %ENV variables. Why not try to print them all and see if your webserver is like that?

Trying to parse the query parameters out of %ENV vars yourself is an "ancient" method of doing things, which should no longer be recommended. The OP is already using CGI, which is a much better way of getting the parameters.

There is also something called Tainted mode, which you should use once your testcode is working, because what If the string after the ? is 2Mb big? or an invalid url etc.

Using taint mode is generally a good idea but it won't directly help with the two examples you mention. See perlsec.