It is strangs that nobody mentioned Taint directly in their post. Use the -T flag in your CGI, or the Taint module from CPAN.
This way, you are sure that all the parameters need to pass an untaint method (like a regex).

I hope this helps,
---------------------------
Dr. Mark Ceulemans
Senior Consultant
BMC, Belgium