I have a text + file upload script. The file upload is limited to certain file extensions (BMP, bmp, JPEG, jpeg, JPG, jpg). The upload file name is stripped of any characters that aren't letters, numbers, periods, underscores, or dashes. Then I added something to make sure there is only 1 period in the file name so they can't upload a file to a different directory. And I run htmlspecialchars() on all the text fields. Do you think this is safe for anonymous file uploading?
