Both previous comments are bang on. In fact I'd go so far as to say "never let users name files -- just give them the illusion that they are naming the files."

You control the horizontal, you control the vertical. Don't let them adjust their directory structure.

Ovid suggests numbers, letters, and underscore. Excellent idea.

Also don't let them input the directory. If you remove any .. from the filename and remove any preceeding directory names from the filename, you should be in nearly safe shape.

Obviously if you are accepting input from the user for the filename Taint is a must. Even so you must be careful since it is possible to use a silly regex to untaint a variable and still leave all manner of garbage in it. That said it's still wise to double check that your -T is in place.

Something you might want to do which is not required might be to force either lc, uc, or ucfirst, which ever strikes your fancy. Letting all manner of capitalizations slip in can just confuse users. They won't recall they asked for the file to be called "fiLenAme.hTml"

In addition consider having a list of approved extensions. This can cut down on confusion and possibly stop some silliness.