filippo.toso wrote:You can use the extension of the file as check.
If the user tries to upload a .php file and sends it with an image/jpg mime type, it will be correctly uploaded and the attacker can exploit this behavior (i.e. to install malwares, fishing sites, and so on).
If you check the extension, even if the file is a PHP script with .jpg extension, there's no way it will be executed by the web server and cause security issues (if the server is correctly configured).
A even better solution is to upload the files into a folder protected through an .htaccess that disables any kind of scripting support.
People don't upload files to server's just so they can try to execute them through a browser. Taking your example...
I rename output_all_passwords.php to output_all_passwords.jpg. Your script happily accepts it and stores it on the server somewhere.
I now execute a second attack on your website to make an insecure PHP script include it .. say you're doing something very silly like "include $_GET['page'];" ... I request it with insecure_script.php?page=uploads/output_all_passwords.jpg ... ta da, I have all your passwords!
Check the file is what you want it to be. Never, ever rely on anything from the user being what it should be.
@anomaly - To check video files are what they should be either write something to examine the file header or install ffmpeg and use that.