I tried what you said but evenif the user select a valid filename drom the drop down menu his request still gets rejected.
Where did i go wrong in the following code? 
my @files = <../data/text/*.txt>;
my @display_files = map /([^\/]+)\.txt/, @files;
Encode::from_to($_, "ISO-8859-7", "utf8") for @display_files;

print br;
print start_form( action=>'index.pl' );
    print h1( {class=>'lime'}, "&#917;&#960;&#941;&#955;&#949;&#958;&#
+949; &#964;&#959; &#954;&#949;&#943;&#956;&#949;&#957;&#959; &#960;&#
+959;&#965; &#963;&#949; &#949;&#957;&#948;&#953;&#945;&#966;&#941;&#9
+61;&#949;&#953; => ",
                                popup_menu( -name=>'select', -values=>
+\@display_files ),
                                submit('&#917;&#956;&#966;&#940;&#957;
+&#953;&#963;&#951;'));
print end_form;

my $passage = param('select') || "&#913;&#961;&#967;&#953;&#954;&#942;
+ &#931;&#949;&#955;&#943;&#948;&#945;!";
Encode::from_to($passage, "utf8", "ISO-8859-7") if param();


if ( param('select') )
{
    unless ( $passage =~ /^[a-zA-Z&#945;-&#969;&#913;-&#937;0-9]+$/ )
    {
    print br() x 2;
    print h1( {class=>'big'},  "*Backward Directory Traversal* hack wi
+ll NOT help you here, Mighty Lamer!" );
        exit;
    }
    
    open(FILE, "<../data/text/$passage.txt") or die $!;
         local $/;
         $data = <FILE>;
    close(FILE);

    Encode::from_to($passage, "ISO-8859-7", "utf8");

    $select = $dbh->prepare( "UPDATE guestlog SET passage=?, date=?, c
+ounter=counter+1 WHERE host=?" );
    $select->execute( $passage, $date, $host );
}
else

[download]

In reply to Re^2: How to avoid Null Byte Injection by Nik
in thread How to avoid Null Byte Injection? by Nik

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.