length param('newCOMMENT')

This avoids warnings when param returns undef (at least on Perl 5.12 and up).

As for the regexes, have a look at perlrequick and perlretut. Using them, I make sure that param('event') contains only "word" characters (which excludes things like dots, slashes, or backslashes), and I make sure that newCOMMENT includes only "word" characters and horizontal whitespace (which excludes, for example, newlines; see perlrebackslash and perlrecharclass for all the details). I then use capture groups to "untaint" the values (see perlsec). You may find that the regexes are too restrictive, in which case you can add allowed characters, but be very careful with this - adding too many or the wrong ones will open the security holes again. This is another good reason to not use form input for filenames and use a database instead, where these things are not an issue if you use the right tools - see Bobby Tables.