You are correct, although your example would not work as you intended, something along the lines of the following would:

script.cgi?x=' . system "any valid OS command here" . '
[download]

the eval of which would look like this:

$x = '' . system "any valid OS command here" . '';
[download]

In this particular case, the UnTaint would not find any "naughty" symbols we associate with usual system cracking attempts. My focus, however was to address the cause of the poster's immediate problem. The references to the other links and the warning I think were sufficient. In his CGI Course, Ovid addresses these and other security issues.

--Jim