Although I am mostly just repeating what everyone else has said, use the CGI param() method, I can testify from recent maintenance experience that it is a good thing to do.

Last month I had to update a CGI script I wrote over a year ago. It formats stuff from a data file based on settings from a config file. I needed to give that data file the ability to specify which config file to use (formerly automagic). Happily, I used the CGI object to handle the internal passing of config file choice. Because I used the CGI object in a fit of laziness, it was trivial to add the new feature. Had I been more diligent and manually passed the info, I would have had to make some ugly changes to the code to get the configuration info passed around properly.

PS: Don't let unchecked params anywhere near your filesystem.

TGI says moo