The problem with tr/A-Za-z_.-//dc; is that the . character could be used to attempt to open the current or parent directory.

I'm paranoid enough to do something like

tr/A-Za-z_.-//dc;
s/^\.+$//;
[download]

to make sure the user doesn't enter a string containing only dots.