This program seems particularly sticky because it involves the customer uploading and downloading data, not just sending strings containing their name and credit card number. Very Bad Things(tm) can happen when an untrusted source is allowed to save files on your system. More than anything, I'd make sure the file was saved in the right directory. You'll be safer if the user isn't allowed to choose the file name. (I'd like to upload this new file called "/bin/sh"...)

-Ted