Validate your form input. Instead of just taking Vars and assuming it's right pass it through Data::FormValidator. You can go further after that - allowing only a certain number of hits per time period, per IP, for example - but you might not need to go to that trouble once you filter out clearly invalid data like this.

Also, you need to do some locking on that file to prevent multiple simultaneous hits from corrupting it. I recommend you pick up a copy of O'Reilly's CGI Programming with Perl book. It will let you in on this and many other important techniques.

-sam