Your question as asked is answered, but I wanted to make another note:

$tainted =~ s/\W//g;  # remove all non word characters
if ($tainted =~ /\A([a-zA-Z0-9]{1,16})\z/i)
[download]

Basically, these two lines together say you can have everything in \w match (assuming an ASCII-clean input) except the underscore (and that 'i' at the end of the match statment is useless). Underscores are usually harmless, so it might be better to simply write:

if( $tainted =~ /\A ( \w{1,16} ) \z/x ) {
[download]

Which also has the advantage that if someone inputs 'firstname&lname&&' (which won't pass the length test if the '&' remain), it will spit it back as "failure" instead of doing something with the untainted version (which will be 'firstnamelname', and would pass the length test).