Liked the main idea :) Perhaps the uploader can write some meta data of what it's doing to the session (instead of some %SIG trickery) and the killer can use that info to wipe-out any residues. However using a form field to identify something on the disk is not a wise thing and a huge security risk. Always use sessions. If you are not sure how to implement one, use one from the CPAN.