Well for a start its coming from the outside world.
In my opinion all CGI programs should be able to run under taint mode before they get put onto a live server. All incoming data must be taint checked before being used. In this case we expect a string so we can strip everything that isn't and so remove all the nasty shell characters and \00.
in reply to Re: Re: Errors in my (simple?) CGI Script!
in thread Errors in my (simple?) CGI Script!
In the context of the program above it might appear overkill but arguably its better to get into good habits early.