Another preventive measure you should take, especially when running external commands from your CGI program, is always to assume that you're not going to catch all malicious inputs. That doesn't call a shell, so special shell characters will be ignored, rendering a standard attack useless.
Therefore, don't use an all-powerful generic command like . Just don't use commands that invoke a shell, such as the two aforementioned calls. If you need to talk to the spawned process, you can open a pipe manually, and talk over that.
One example is ".htaccess" files, where httpd servers keep a little database of users and passwords.
Often, this sort of functionality is duplicated by hand so that accounts are easier to add and remove.
When we hit this CGI script through a Web browser, we get the following output: All of those variables got passed into our CGI script, and we didn't even ask for them!