No. Don't use anything starting with HTTP_ directly in any file path. This is an arbitrary string coming from the browser, and can be manipulated directly by a person with ill intentions.

-- Randal L. Schwartz, Perl hacker