Firstly, as mr nick observes, your best option is to exclude index.htm at the point where you read the directory, or whatever else is involved before you invoke this sub.

But then i'm a little confused, as this script won't try and read index.htm anyway. It appends .dat to the name you pass to it, so it I suppose it might try and read index.htm.dat if you're coming from an earlier readdir, but then it will just go &oops in the proper way.

Please reply if there's a particular problem i haven't understood, but it seems to me that you're basically fine.

Except there are much better ways to protect the directory from passers-by, anyway. A basic through-obscurity approach like this is pretty shaky, especially if the cats and ids are appearing on a site somewhere. The simplest alternative would be to put the data outside the web root, or use an .htaccess file to exclude everyone.

Your .htm suggests that you're on windows. I guess IIS must have some equivalent directory-level access-control mechanism? I tried looking on google but it kept offering me MCSE courses so i fled.