What you must remember when writing CGI: the client can give you anything. Never put the query string in some sort of "eval" call, because it can be easily exploited to execute evil code. Treat the query as if it is a live bomb. Don't just drop it into your environment. You must carefully take it apart, & by & (And remember to always cut the red wire, and never the green one).

Once you have taken the query apart, and have put all the names and values in their individual strings, you must then go to each string and decode the percent signs (%2A -> hex code 42 -> '*').

Also, in a "comments" system, the comment can contain nasty little suprises (eg. <img src="http://olsentwins.com/photogallery/images/120_small.jpg">). These profane comments are the reason that you must disallow many types of tags. Always beware the evil query.