I snooped around his site a bit, and it looks like he's using the easiest hack he could to pass the information into his program.
The HTML front is using a GET to pass the information to the CGI shell, so it arrives like this "key=whatever" and he's just sticking the whole thing into an environment variable. This means at the Unix Shell level he has "QUERY_STRING=key=whatever" so when he gets the value of QUERY_STRING he has to throw out the first bit to get just the characters.
I was basically right about why this causes it to read the next variable. Unix environment values are stored in an array of pointers to strings. If the strings end up in the simplest configuration, one after another, you will end up with "key=value0another=something0and=soon0" in the shell memory. C will gladly let you read past the end of a string into the next bit of memory, which will read into the next environment variable 99.99% of the time.
He tries to test of any empty string where he has query_string in the for loop. But I think he needs to be using *query_string here because he wants to test the value of what is being pointed to not the value of the pointer.
Jay