Ack!! I would recommend not letting the user specify the file in this way. In other words don't count on the browser to send you the name of the file. Idealy if they will be overwritting existing files give them a drop down box to choose file names from (key the file names to numbers, use the numbers to lookup the filename in the script so they can't hack the HTML and use any name they want.) I would be afraid to use any script that lets the user control which file is getting uploaded and would continualy be worried that someone could figure out a way around your regex and overwrite files you don't want them near. Am I paranoid? Damn straight I am. ;) Take it with a grain of salt but i would recommend not relying on the web browser sending a name of the file its sending, i'm not sure that they even have to in the spec.