The issues with the $file and $data variables that you pointed out were caused by my stripping this down to a minimal test case and overlooking them.

You mentioned that you had no problem using the code without the "no strict" lines. Were you using this to upload a file from a Web page and using CGI.pm? That's where I seem to get the symbolic reference problem.

I'll take a closer look at the perlsec doc and see if it addresses the problem. Thanks.