Hehe, good point b10m. So is the only way to pass things like this securely by storing them in local files inaccessible to the user since you can't pass anything between instances of the script (non-persistant environment) and you shouldn't pass anything as a value (not secure)?
Well, you'll have to keep in mind that "(L)users are evil"™
Your first answer was already better, but I'm not exactly sure how Perl would handle input like "../../../../etc/passwd\0" (read: too lazy to test it). A little more secure would be to store the allowed files in a hash or array and give those choices to the l-user.