We turn now to proven strategies for preventing attackers from carrying out remote execution exploits via your PHP scripts.
Apache uses a file's extension to determine the Content-Type header to send with the file, or to hand the file off to a special handler such as PHP. If your application allows users to determine the filenames and extensions of files they are uploading, then an attacker might be able to simply upload a file with a
.php extension and execute it by calling it.
There are of course extensions other than
.php that could cause problems on your server, or could facilitate some other kind of attack. These include extensions used by other scripting ...