I hope I don't sound too naieve asking this question, but if I use /bin/perl -T, do I still need to check user input for things like lead/trailing spaces, non-alphanumeric characters , hacker code etc. or is that filtered by the taint module?

It's important to realize that -T doesn't filter anything. It doesn't modify data. What -T does is flag externally acquired data (for instance, input read, environment variables, etc), flag all derived data (copying flagged data, substring such data, etc), and raise a fatal error if you pass flagged data to system calls. Such flagged data is called 'tainted'.

You still need to 'untaint' the data yourself.

Abigail