It is far easier and safer to just not use the name of the file that the user supplied to store the uploaded file under. Generate a unique ID for each file uploaded, store the file on the file system under this name and put the name the user had control over into a database. Then you can still display the name the user uploaded where neccessary, but don't have to trust that there was nothing nasty in it.

Much easier (don't have to spend forever with regexs working out what is "legal") and far safer (when your regex missed something subtle).