I don't know much about web apps, so you tell me. Is there any way that input from a user via a web app will be used by <>, without the programmer explictly assigning it to @ARGV?

Since no one else has, I'll tell you. Yes, there is. It's sort of a holdover from back when ISINDEX was actually common. When called with a query string not containing an equals sign ("=") the query string is supplied to the script via argv. If the query string contains one or more plus signs ("+") then the string is split on those and each fragment becomes a separate argument in argv.

For example... put this in a cgi script...

#!/usr/bin/perl 
print "Content-type: text/plain\n\n";
print while (<>);
[download]

And then open http://yourhost/path/to/that/script.cgi?script.cgi+script.cgi And you should see the source of the script printed twice.

Don't leave that on your server, of course.