Sigh. Security 101.
Sanitise your inputs.
Do not act upon the data as if it's a filename, program name or anything else.
Don't pass off unsanitised data to other programs.
Don't allow directory traversal.
This isn't just "a slip", this is just atrocious coding. Stop using this program, because god-knows-what other basic security mistakes have been made elsewhere in its coding.