Yes, this is the way to do it. You'd be surprised the number of sites you can compromise because you can do things like index.pl?template=../../../../passwd.

I wouldn't even trust a regex to 'take out the ..' either as you could probably just do /etc/passwd instead. Yes, you could also regex off ^/ as well, but you'll be doing stuff like that as long as that script exists.

Also consider using pathinfo or a mod_perl handler because it looks a little nicer :)