Right. Then I'd say reject any filename that contains a dot - simple as that. Also, use the three-argument form of open as in open FH, "<", $filename; to avoid having tricks played on you with the magic open features of the two-argument forum. See Ovid's excellent CGI course for more information on the topic of security in CGI scripts.

Makeshifts last the longest.