I can't figure out why.

You compare strings numerically with   ==   - they default to TRUE or 1 in a numerical sense and thus every comparison is successful and the following block is executed.

To fix that problem, use the   eq   operator to compare the strings as strings. Read more about this in   perldoc perlintro   and   perldoc perlop.

While you're at it you can fix the broken HTTP-GET/Querystring parser and use   CGI.pm   - the following code will do that:

use CGI;
my $q = CGI::->new;
my %FORM = $q->Vars;
[download]

...instead of the part after the last use-statement and before the "Untaint Variables"-part.

Cheers, Sören