http://www.perlmonks.org?node_id=25534


in reply to RE: Re: File Naming
in thread File Naming

This is probably a little simpler and a lot safer:
$had_bad_characters = $user =~ s/\W//g; # Safer still (since what's defined as a 'word character' could change + based on locale/Unicode (?)) $user =~ s/[^a-zA-Z_-]//g; # Explicitely define what we want to ACCE +PT as valid
Generally the secure approach involves defining what is acceptable and disallowing everything else, not trying to filter out what we know/anticipate to be bad, because stuff frequently slips through.