class.upload.php is a powerful and mature PHP class to manage uploaded files, and manipulate images in many ways. The script is available under a GPL license.
For extra security, you can have mime_content_type PHP extension enabled, and set the $handle->mime_magic_check to be true. That would double-check the MIME type, but at present, it will only give a warning. Probably I could have the process to fail if the detected MIME is different than the one set by the browser. I don't know if there would be some false positives.
You can harden the security a bit more by having a very restricted set of MIME types that you accept. Yes, the attacker can still fake it.
It is planned to implement the fileinfo support, which will allow for further MIME checks. It will also be helpful when uploading from a Flash uploader.
I will look more into it when I implement fileinfo and will try to implement a "paranoid" setting with more checks.Reply
You can harden the security a bit more by having a very restricted set of MIME types that you accept. Yes, the attacker can still fake it.
It is planned to implement the fileinfo support, which will allow for further MIME checks. It will also be helpful when uploading from a Flash uploader.
I will look more into it when I implement fileinfo and will try to implement a "paranoid" setting with more checks.