Since you are getting your username and password from a CGI query, I suggest you use Data::Dumper to find out what is really being given to your script. Perhaps some encoding is being done that CGI is not catching.

You're probably aware that browsers frequently encode form fields before passing them to GET; some browsers do this (usually to a lesser extent) for POST requests, too. CGI modules typically un-encode them, but maybe something is being missed here?

Incidentally, I highly recommend CGI::Simple as a replacement for CGI: it drops in to most CGI-using scripts without any serious code modification, and it has worked much better for me in every case.