One important thing to remember when it comes to developing web applications is you can never trust any of your users in any case. Humans are cruel; it's not unlikely someone will try to crawl their way in to your server or database.
When developing attachment, file upload, or similar systems, always remember to sanitize the file name.
Of course modern computer systems don't allow slashes in the file name so the following wouldn't work:
Systems just don't like that. You cannot use slashes in file names. But a specially crafted file can be uploaded which could be used to steal cookies, redirect users, or modify the current page to the attacker's liking.
// Simple alert
// Cookie stealer
<em>ALWAYS</em> sanitize the file name. Keep yourself and your users safe. :)