So it's cool that you're using
CGI.pm (at least if I read it right from my
early morning brain here), but just in case the home audience doesn't see what's
so wrong from this oft-repeated "cargo cult" junk:
- it doesn't handle a GET request instead of a POST
- an evil guy can give a huge content-length and overflow your system
- it doesn't handle the recommend ";" separator instead of "&"
- it mangles ~! in the content for some unknown reason
- while it fixes less-than and greater-than for HTML reasons, it doesn't patch up ampersand
- it folds possibly significant whitespace
- it removes trailing whitespace from a special field named username using a poor regex
- it creates the key/value pairs for a hash in separate arrays, rather than just assigning a new element directly
- it doesn't allow for SELECT MULTIPLE selection boxes or multiple fields with the same name, because the second value overwrites the first instead of adding to it
- it doesn't easily allow for file upload even to be grafted on the side
- it doesn't handle some of the recent CERT warnings about broken character set interpretations
all of which are handled properly by
CGI.pm.
And here's the problem. Whoever wrote this probably copied most of it from someone else (or worse, one of those awful books out there), and now the next guy who comes along says "hey, do you have anything that handles the CGI stuff?" will probably steal this code for his own. Without realizing any of the brokenness.
That's why we say so adamantly: use CGI.pm! It's just too much work to keep pointing out these major errors over and over and over again.
-- Randal L. Schwartz, Perl hacker