You should first check if the match succeeds, then do the assignment. Something like:
in reply to Best way to untaint
die "Horribly" unless param 'firstname' =~ /^([a-zA-Z])+$/;
my $u_firstname = $1;
die "Horribly" unless param 'lastname' =~ /^([a-zA-Z])+$/;
my $u_lastname = $1;
As for answer 2, a needs to pass its information to b, and b needs to pass that information to c, in whatever form is most convenient to you. Either encoded in the URL (could be in the path, could be in the query (which is what happens if a browser does a GET form request)), or in the body of the request (which is what happens if a browser does a POST form request). Or you could use smoke signals if you have a fire and a smoke receiver.