Howdy, This is a snippet that should give you the idea... 
#!/usr/bin/perl -w

use strict;
use CGI;

my $query = new CGI;

my $go_switch = $query->param('go_switch');

if ($go_switch){
    my $file1 = $query->param('file1');
    my $file_type = $query->param('file_type');
    if ($file_type eq "jpg" || $file_type eq "gif"){ #only allowing im
+ages here
        my $file_mod = "p000001";
        if ($file1) { # uploads the first file
            my $save_directory = "/var/www/storage/$file_mod.$file_typ
+e";
            print "$save_directory<BR>";
            my $BytesRead;
            my $Buffer;
            my $Filename = $file1;
            $Filename =~ s/^\.+//;
            my $File_Handle = $query->param('file1');
            open (OUTFILE,">>$save_directory");
            while (my $Bytes = read($File_Handle,$Buffer,1024)) {
                $BytesRead += $Bytes;
                print OUTFILE $Buffer;
            }
            close($File_Handle);
            close(OUTFILE);
            chmod (0666, "$save_directory");
        }
    }
}

[download]
It's not perfect, normally I increment the filename from a datasource and have a broader variety of files I allow, but I feel by setting the file type and name (and putting in places that are not executable just in case) and giving the person uploading absolutely no options at all concerning where it is placed, how it is named, and what the permissions are, I can sleep with only one ear listening for the emergancy pager...

A necessary evil in the current environment....:(

EEjack

In reply to Re: File Upload - AND hidden values by eejack
in thread File Upload - AND hidden values by Anonymous Monk

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.