Leving aside the fact that this does not compile under strict as you don't declare %hash, this is a security hole just waiting for a cracker.The string form of eval is *dangerous*, don't use it until after you understand why. Here is a hint....

use strict;
use warnings;
my %hash;
my $a = '1};print "You have just been cracked!\n";#a1:a2:a3=foo';
my ($key, $val) = split /=/, $a, 2;
$key =~ s/:/}{/g;
eval "\$hash{$key}=\"$val\"";
__END__
You have just been cracked!
[download]

The print could be any arbitrary code. unlink, rm, shutdown....*any* code, running with the perms of whoever started the script.