[orjan]

The most important thing is to escape the backslashes when you store the path to the database.

about substituting paths, you should url-encode your paths and filenames
but then there is the question if it's better to encode it to the db or when presenting it to the user. it depends on how you will treat the filepaths later in your code.

i hope for your security reasons that you don't think about doing like this:

"download.php?file=c:\wamp\docs\marketing\peeps\ol d\file.mp3"

but instead "download.php?fileid=23" where 23 is the id in your database reffering to the file, as in the first case, someone could rewrite the address to "download.php?file=c:\my\secret\files\passwords.tx t" and get whatever file they want from the server.