Current Perl documentation can be found at

Here is our local, out-dated (pre-5.6) version:

Read the CGI security FAQ, at, and the Perl/CGI FAQ at

In brief: use tainting (see the perlsec manpage), which makes sure that data from outside your script (eg, CGI parameters) are never used in eval or system calls. In addition to tainting, never use the single-argument form of system() or exec(). Instead, supply the command and arguments as a list, which prevents shell globbing.