No no no. Don't strip out blacklisted characters. Instead, strip out any but whitelisted ones. For example, s/\W+//g. It is too easy to overlook something otherwise.

bikeguy: you probably want to read perlsec. Also, Ovid's excellent CGI course has a good easily digestible discussion of CGI script security.

Makeshifts last the longest.