There are already several very could posts on this topic. Even some pointing out that you should be using taint checking and sanitizing your data. In addition to that authorizing access of this nature is extremely important. I thought I might help by adding why this is so important. If I were a mean person (not saying I'm not) but for the moment lets say I'm intent on causing trouble. Lets say I submit my assignment not as Laura but as Bob. I don't like Bob much, he sits next to me in class and breathes with his mouth open. So I decide to call my outputfile .bash_rc or .bash_profile. Even with a path appended to the string I can just make my file name ../../../.bash_rc or whatever it takes to get down to the home dir. Then I make the body of my assignment "rm -rf . > /dev/null &". As you can see Bob is going to have a "Very Bad Day{TM}" on his next loggin. Now while your code doesn't allow this in it's current form something workable probably would allow something similar. I'm just trying to illustrate how many security wholes you open up when you allow code to run that's dependant on html form fields. If he had to go through some sort of authorization it would lessen the chances of Laura getting even with evil mouth breathers on the system. I hope this puts some fear into you. On and I do speak from experience I used to be the only Unix Admin for a Computer Science department with 600 active accounts each quarter.