Properly, you do something like the following:

#!/usr/bin/perl -Tw
use strict;
use CGI;

my $query = new CGI;
$query->param('thing') =~ /^([\w\s\d]+)$/ or die "Tainted data in thin
+g!";
my $thing = $1;
[download]

That allows you to properly (and safely) access the data in "thing". The regular expression should only specify the absolute minimum necessary for program functionality. The more it allows in $1, the greater the chance for a security hole.

Further, the or die is necessary when untainting. If the match fails, $1 could still carry the data from a previous match, thus setting $thing to an undesireable value.

Cheers,
Ovid