Now that you mention it, there is also the Apache notion of extensions, where foo.html.en.gz and foo.en.gz.html both have three extensions: en, html, and gz. This probably is not what our questioner is looking for, but this is part of a file-upload tool and it could be a security problem: Apache can recognize foo.cgi.png as a CGI script!

The infamous examples of this were of the form foo.php.jpg. If an upload script uses the name given during upload, that will run an alleged JPEG image through PHP when it is later viewed. Remote code execution, anyone?

For a file upload script, always store the file on the server under a machine-generated name and always ensure that the extension is derived from the Content-Type and/or inspection of the uploaded data, restricted to "safe" types and confirmed by inspecting the uploaded data. The uploaded file can be presented with any name and you cannot trust the information provided by the remote client.