Don't trust the user-defined extension. Send the content-type header along with the image when serving it up.

Easiest way to defend against that junk, look at the mime-type of the file being uploaded, and if you still want proof, read the file. If the file starts off with "<?php" or " <?" then you know you've got some code and not an image.

You can't trust mime type sent by the browser when the file is uploaded, if its sent at all.

Call getimagesize() to find out if its really an image; if so you'll get an array of data.

Copy the image, using GD functions and writing it to a file (ie: do not use a file copy function like copy()).

jazz_snob;10880444 wrote:

...
Copy the image, using GD functions and writing it to a file (ie: do not use a file copy function like copy()).

I like that: the selected GD create/copy function converts the image to a bitmap, then another writes it back to the desired image format. Good idea. Hard to imagine any image virus getting past that, unless it's actually targeted at those actual GD functions (which seems to be a very low risk, to me, assuming there even exists a vulnerability that could be so exploited).