$filename = $query->param("Resume_File");
$filename =~ s/.*[\/\\](.*)/$1/;
open UPLOADFILE, ">$upload_dir/$filename";
Please, never use user-supplied input to create a filename on the local system. For example the following parameters could overwrite or create other files with content chosen by the user:
Resume_File=/../myscript.pl
Resume_File=/./.htaccess
If you think you really, really must create files with the name supplied by the user instead of keeping the "filename" in the database, consider explicitly keeping only a set of known good characters, like [a-zA-Z0-9\.] or something. Text::CleanFragment tries to do something like that, but before using it to create things in the filesystem, I would still look at storing the metadata in a database. |