A suggestion: use strict warnings and diagnostics or die; it also would be a good idea to use the module CGI, as its parser is considered the best for query strings; note also that your if statements can be combined. I'm not sure, but I believe it's the roll-your-own parser that's causing you grief. Also look at perlsec. Try using CGI, strict, and warnings (or -w), as well as possibly taint mode (perlrun / perlsec) then come back if you still have problems.