You'll have to store some sort of ID with the file, perhaps the supplied file name from the upload routine.

Since it goes straight into the database (be sure to quote it or use a DBI placeholder), you don't have to worry about the security implications of passing user data through the shell as part of an open statement.

You can also use a simple SQL SELECT statement to pull the file out of the database: SELECT file from saved_files WHERE name = ?;