in reply to CGI::Application and CGI security

CGI::Application uses CGI (by default, you can use something else if you desire). From the docs for CGI: 
 You can use these variables in either of two ways.

       1. On a script-by-script basis
           Set the variable at the top of the script, right after
           the "use" statement:

               use CGI qw/:standard/;
               use CGI::Carp 'fatalsToBrowser';
               $CGI::POST_MAX=1024 * 100;  # max 100K posts
               $CGI::DISABLE_UPLOADS = 1;  # no uploads

       2. Globally for all scripts
           Open up CGI.pm, find the definitions for $POST_MAX and
           $DISABLE_UPLOADS, and set them to the desired values.
           You'll find them towards the top of the file in a sub­
           routine named initialize_globals().

[download]

-derby

Update Arunbear's response is more accurate. In my code, I can get away with setting the variables at the top of the script since other included modules are pulling in CGI.pm (via use). If my code was more robust (and I utilized the dynamic nature of CGI::Application), setting the vars at the top of the script would do no good at all (and would just be lost when the CGI::Application requires CGI.pm). So no more + votes for this node, ++ to Arunbear node below.

In Section Seekers of Perl Wisdom