While I'm not a member of the CGI police (but you should look into CGI.pm itself, and compare your query grab with it's), I do have a comment.

my $file = $FORM{file};
$file =~ s{.*/}{}; # remove any path, this takes care of the ../.. sec
+urity problem
$file =~ s/[^\w\-.]//g; # remove anything in the filename that isn't a
+ word character, a dash, or a dot. This takes care of the `rm -rf /` 
+type threats.
...
[download]

My view on the CGI.pm fascists is, YES you should use CGI.pm until you understand what the differences are. But including bloated modules in your code may, or may not, be a good idea. It depends, as things do, on context. For your usage, probably CGI.pm is a good idea. But if you were optimizing to keep the webservers memory usage low under heavy load, then CGI.pm might not be as good.
--
Snazzy tagline here