Originally Posted by Village Idiot Not as bad as the 500 line image upload script (all it did was upload), it used the imageGD library to verify that it is said type of image. Ive worken on allot of madness, that is among the worst ive seen. I don't disclose clients code because I don't retain the copyright to it.

Well actually, you'll find that 500 well commented, with decent type detection (and checking the extension does NOT count as decent type detection, i mean checking the MIME types are an image).

Say someone uploads: uploaded.gif, and its really a text document containing php, it can seriously damage your website.

While checking the content is actually what it says it is, and if it isn't changing it to the correct type is fairly easy, also can have a standard form for extensions that way too, no jpg, jPg, Jpeg, jPeg etc, all standardised and lower case.

What i mean by detecting and changing an extension, im sure many of you designer have cut corners before when doing a design that should have transparent corners, but instead its white and you have referenced it in hard code EVERYWHERE. Which would mean changing image.jpg to image.png in 5000 cases, why not just change the jpeg -> png (while keeping the name image.jpg).. The latest browsers have supported that for years.

You need to make sure your image upload script supports that too!

Sorry if i went on, just trying to make a point