open FILE, "$filepath/$filename";

# so provided we hard code $filepath....
my $filepath = '/usr/somewhere';

# and untaint $filename ensuring there are no ../ etc, in it
my $filename = $q->param('filename') || '';
my ($filename) = $filename =~ m/^([\w.-]+)\z/;

# then this is quite safe...
open FILE, "$filepath/$filename" or die $!;