I would seriously hope that you have some verification that the filename makes sense.
Remember that some browsers send just the basename of the file, while others
send the full path. It'd be better if you had a separate field for "name you want
on the server", rather than relying at all on the "hint" provided by the browser
about the original name.
And use taint mode! That would probably have caught you with your pants
down on this one! Don't use untested user data to decide filenames or other
external things!
-- Randal L. Schwartz, Perl hacker