Hello, Gadi Evron wrote: > This is a good best practice, but it doesn't hold water long > range. Further, where do you disallow these extensions? In the > application? > Mostly what the bad guys would do is upload, say.. .jpg, and then rename > it. This is what I do in Apache to directories used to store user uploaded files: <Directory "/var/www/html/application/uploaded"> php_admin_flag engine off </Directory> -- Taneli Lepp | Crasman Co Ltd <taneli@crasman.fi> | <http://www.crasman.fi/>