As Masem noted, you're doing things that are horribly insecure here.

Generally when doing CGI (especially where that CGI does stuff interesting with the filesystem, processes or a back-end piece like a database), you want to run with taint-checking enabled, and set the "Taint" flag on your DBI object so that it won't let you pass untainted data.

#!/usr/bin/perl -wT

use DBI;

my $dbh = DBI->connect($dsn, $user, $password, { Taint => 1 });
...
[download]