From perlsec: Once taint mode is on, it's on for the remainder of your script.

So, alas. Perlsec also describes how to "launder" tainted data:

Here's a test to make sure that the data contains nothing
but "word" characters (alphabetics, numerics, and under­
scores), a hyphen, an at sign, or a dot.

     if ($data =~ /^([-\@\w.]+)$/) {
         $data = $1;                     # $data now untainted
     } else {
         die "Bad data in $data";        # log this somewhere
     }

This is fairly secure because "/\w+/" doesn't normally
match shell metacharacters, nor are dot, dash, or at going
to mean something special to the shell.  Use of "/.+/"
would have been insecure in theory because it lets every­
thing through, but Perl doesn't check for that.  The les­
son is that when untainting, you must be exceedingly care­
ful with your patterns.  Laundering data using regular
expression is the only mechanism for untainting dirty
data, unless you use the strategy detailed below to fork a
child of lesser privilege.
[download]