Your method of importing variables is maybe not the best way to go about things.
from CGI's POD :
IMPORTING ALL PARAMETERS INTO A NAMESPACE:
$query->import_names('R');
This creates a series of variables in the 'R' namespace. For example, $R::foo, @R:foo. For keyword lists, a variable @R::keywords will appear. If no namespace is given, this method will assume 'Q'. WARNING: don't import anything into 'main'; this is a major security risk!!!!
In older versions, this method was called import(). As of version 2.20, this name has been removed completely to avoid conflict with the built-in Perl module import operator.
And, looking in CGI's source code (v. 2.74), we see the following inside of import_name :
# protect against silly names
($var = $param)=~tr/a-zA-Z0-9_/_/c;
$var =~ s/^(?=\d)/_/;
which will only check the validity of the parameter's name; its value may still be malicious in some fashion. See
perlsec for more on dealing with this type of '
tainted' data.