-T is supposed to stop your script, if its not handling user input safe/unTainted-ly. You definetely need to look it up; the idea is that all user data could be an attempt to get your cgi to do bad things, so unless you ensure the data isn't dangerous, -T won't let it run. You need to do things like:

$name = param('name');
$name =~ /(\w+)/;
$safe_name = $1;  # use $safe_name from here on out
[download]

That's not correct, but its one of the ways you need to un-taint input; run it through a safe-making RE and use only the matched part.

a