Try Ovid's CGI course. Lesson 3 contains an excellent section on why one shouldn't trust the shell with what the script been (directly) passed, and what damage a malicious user could do.

By the way, it's perl or Perl, not PERL.