Several points to consider:

1. You need taint mode, warnings and strict.
2. use Basename; that strips all path information besides the file name.
3. I hope you use CGI to read the form data.
4. What sort of authentication is providing the user name?

There are plenty of perils in what you want. ++For getting review, be sure to get review again before you expose this to the world. You will need to think of oversized input. Is this a file upload, or textares data written to a file?

After Compline,
Zaxo