You haven't shown the relevant part of the form, but if you receive "both kinds" of parameters, that is, URL and POST parameters, you need to ask CGI about both kinds, or tell CGI to munge them both together into one. See CGI.

About "nasty things", there is no input that can make CGI.pm do nasty things, but usually, you tend to do stuff with the input yourself. So either use a templating system or make sure yourself that you properly escape all input you output to the user again. Also see perltaint.