To expand a bit on CountZero's reply, taint mode (-T) protects you from inadvertently writing a script that allows malicious abuse to be too easy. If you have specific expectations about the file(s) that should properly be deleted by this script in response to a CGI parameter that it receives, then you need to test that the value of the "f" parameter matches those expectations as explicitly as possible before you pass that parameter value to the "unlink()" function.

For example, if you know that proper file deletion requests must involve only files in a specific directory, and even better, if you know there is a specific pattern to the file names to be deleted, then your cgi script should be set up so that the browser sends a value for the "f" parameter that includes only the file name, or only the "variable" (user specified) portion of the file name. If the parameter value from the browser contains anything else (e.g. a directory path with slashes), you ignore the request -- you only do the unlink if the parameter value meets specific conditions, and you supply the directory path (and any fixed/pre-established portions of the file name) for the unlink call.

Without those checks and controls, a hacker who is lucky or knowledgeable enough to figure out file paths/names that the web-server "user" has permission to delete would be able to delete those other files, despite you having no intention to delete them.