For some reason I could not open a file (for writing) in /tmp, but was able to in a new sub-directory of cgi-bin...go figure.
That's strange, and could be an indication that your script is running
with privileges that are higher than e.g. the nobody user that webservers commonly use to run scripts. That'd be another reason to be incredibly careful with using form input for filenames and potentially other things. Attackers would happily exploit a security hole that allows them to create files to, for example, set up phishing sites under your domain.
Taint mode is a good idea in this case because it forces you to think about certain cases. But it's of course also not a silver bullet - thinking about what you are doing with user input is always a good idea :-)