Today I came across something that rather puzzled me at first, seemed irresponsible and such, but was cleared later, upon reading the manual. When uploading files in PHP, variable $_FILES stores a bunch of information about each file. One of those stored bits is the MIME type of the file. I was puzzled with how easy it was to trick PHP into setting a wrong MIME type. However, documentation clearly says that:
The mime type of the file, if the browser provided this information. An example would be “image/gif”. This mime type is however not checked on the PHP side and therefore don’t take its value for granted.