to secure your filename variable you could try this when using Taint, also added use strict.
#!/usr/bin/perl -Tw
# Now uses Taint and strict
use CGI;
use strict;
my $upload_dir = "/tmp/jobs";
my $query = new CGI;
my $email_address = $query->param("email_address");
my $filename = $query->param("photo");
# Upload param check
unless($filename =~ /^([^\/\\]+)$/) {
print "File Not Writable! at upload param check";
exit;
}
$filename =~ s/.*[\/\\](.*)/$1/;
my $upload_filehandle = $query->upload("photo");
open UPLOADFILE, ">$upload_dir/$filename";
binmode ($upload_filehandle);
binmode (UPLOADFILE);
while ( <$upload_filehandle> )
{
print UPLOADFILE $_; # this was your problem $_
}
close UPLOADFILE;
| 