UU already provides a mechanism to detect file extensions client and server side. It is "YOUR" responsibility when you install this script to add file extensions that you may or may not want uploaded. Jeesh! $disallow_extensions = '/(sh|php|php3|php4|php5|py|shtml|phtml|cgi|pl|plx|htaccess|htpasswd)$/i'; $allow_extensions = '/(jpg|jpeg|gif|bmp)$/i';