my $username=$ENV{'REMOTE_USER'};

will generally provide you that information, assuming the user/agent is not broken.

Even better,

use CGI;
my $cgi = CGI->new();
my $username = $cgi->remote_user();
[download]

Update: From CGI.pm:

sub remote_user {
    return $ENV{'REMOTE_USER'};
}
[download]

Heh, not a lot of difference in practice. But, hey, encouraging more people to use CGI is a good thing, right?

Obviously every CGI program should 'use CGI', but why is it better to get the remote user out of the CGI query?

Unless it's because of tainting... I know that %ENV is considered tainted until/unless you delete @ENV{qw(IFS CDPATH ENV BASH_ENV)}; Is the remote_user() that you get out of CGI automatically untainted?

Then you have a problem elsewhere. If you are using the standard BASIC AUTHENTICATION schema of (most) webservers, the two examples given do work.

Perhaps posting your .htaccess, associated script and platform information (OS, server software) might yield some constructive responses.

.htaccess below......running on redhat 6.2 . apache.

AuthUserFile .htpasswd 
AuthGroupFile /dev/null
AuthName "Site"
AuthType Basic

#<Limit GET POST>
<Limit GET>

using in script
[download]

#!/usr/bin/perl -Tw

$| = 1;

use CGI qw(param);
use strict;

my $file = param("file");
my @file_name = split(/\\/,$file);
my $file_name = pop(@file_name);
my $max_file_size = 2000000;
my $base_dir = "/home/ducc/";
my $out_file = $base_dir . $file_name;
my $log_file = $base_dir . "upload.log";
my ($total_bytes_read, $ip_log, $time_log);
my $username = $ENV{REMOTE_USER};

print "Content-type: text/html\n\n";
open (OUT, ">$out_file") || die "Can't open: $!";
open (LOG, ">>$log_file");
  while (my $bytes_read = read($file, my $buffer, 1024)){
    $total_bytes_read += $bytes_read;
    $ip_log = $ENV{'REMOTE_ADDR'};
    $time_log = scalar localtime;
      if ($bytes_read > $max_file_size){
        print "ERROR: The file you tried to upload is will not be uplo
+aded<br>";
        print "Your file is: $bytes_read bytes<br>";
        print "The max file size you can upload is $max_file_size byte
+s<br>";
        close (OUT);
        unlink ($out_file);
        print LOG "ERROR: At $time_log $username tried to upload $out_
+file that was $bytes_read bytes from $ip_log\n";
        die "$time_log: $ip_log tried to upload a file > $max_file_siz
+e";
      }else{
        print OUT "$buffer";
        print LOG "At $time_log $username uploaded $out_file that was 
+$bytes_read bytes from $ip_log\n";
      }
  }
close (OUT) || die "Can't close: $!";
close (LOG);

print "$username has completed uploading $file_name: $total_bytes_read
+ bytes<br>";
print "Done...";
[download]

code above still needs a lot of security checking </code>