Injecting filenames is fragile and insecure. Use parameters.
Problematic code:
Correct code:
Rationale:
Exceptions: