Hint: What type of thing is param('file') and how might that be useful to you in this situation? (The answer is in the POD documentation in CGI.pm)

Bonus hint: use -T to turn on taint checking, and fix the problems that it reports.

Update: If you're already taint checking, then you need to look carefully at what happens if someone inserts some hostile code into $description.