By the by, this is also a great example of how to open up your site to cross-site scripting vulnerabilities.

It's always a bad idea to take some CGI input, then display it right back to the browser. The user may enter HTML tags, Javascript etc. which might then disrupt your returned page.

I'd recommend always doing this if displaying back submitted data into the browser:

print $cgi->escapeHTML($string);
[download]

This 'escapes' any meaningful characters such as angle brackets, so the browser will just display them literally.