There are serious security issues you need to consider if you allow users to submit their own paths, depending of course on what you're doing with those paths. For the sake of simplicity, I would recommend that you only allow alphanumerics in these path names. You can then properly untaint and scrub your path as follows:
my $userpath = $CGI->param('userpath');
my $basepath = "C:/wwwroot/whatever";
my $path = join '/', $basepath, $userpath =~ /\w+/g;
Speaking of untainting, you are using -T, right?
s aamecha.s a..a\u$&owag.print