GIF file including PHP code

The following two files are 100% identical on the server - one of them is just called .php, and the PHP code in the comment field of the picture is therefore executed.


... furthermore, MSIE still shows the .php file as a picture, even though the content-type is text/html. Check the .php file in another browser.

Lesson: Don't just check whether an uploaded file validates as a picture. Make sure you specify the extension (e.g. .gif) yourself.

- Peter Brodersen