Ah, now I understand.

On one hand, the fact that you give the possibility to upload something also exposes you to the fact that someone could actually upload something you don't want, being it a troll or a troll-script. As you say, there's really little to do with it, but I'd like to point out that this has little to do with an uploader script.

The other question deals with the browser more than a WWW::Mechanize script. There is a specific form input element (its type is, unsurprisingly, file) that allows file uploads, and this is usually shown as an entry box with a bundled button that lets you "browse..." through the filesystem. Given the fact that a form input element cannot be of two types at once(i.e. hidden and file), I'd sleep quietly from this point of view.