CGI.pm is still definitely still the way to go. I'm sure anymonk who has used both can list 5 bad experiences with cgi-lib.pl for every setback experienced with CGI.pm. In this case, a little regular expression should do the trick. There are probably better ones than this, but how about:

$filename =~ s/^.*\\//;

This line strips unwanted path name stuff.

$filename =~ s/[^\w.-]/_/g;

This line inserts underscores instead of unwanted characters.

Be sure to use the following attribute in your form tag:

enctype="multipart/form-data"

If you are still having any trouble, you should list out the code you are using. This will get you much quicker and more accurate responses to your queries.

This might also be of interest to you.

bassplayer