I don't shell user input, but I don't check input if it is only for DB insertion.

That's fine, but you should consider data coming out of the database to be tainted. I believe there's an option that can be passed to connect when you open the db handle that will cause data coming from the db to be marked as tainted. Then if you try to do anything insecure with it, you'll get an error relevant to what you were trying to do, so you know what your checking needs to ensure.

Further, what's to stop somebody from passing me an enormous file that crashes my server?

Bandwidth. If they have enough bandwith to send you a file large enough to crash your server, there are a dozen other ways they can DOS you. Set a limit if you're worried about it (other posts in the thread tell you how), but I doubt it will be a real issue.

$;=sub{$/};@;=map{my($a,$b)=($_,$;);$;=sub{$a.$b->()}}
split//,".rekcah lreP rehtona tsuJ";$\=$ ;->();print$/
[download]