The previous post points you in the right direction as to your query, although you have a bigger problem in assuming that the "photo" param isn't going to be malicious.

Consider what might be served back to the outside world if the "photo" param was '../../../../usr/mydata/private.txt' for example.

You're creating a script which could potentially give read-access to any file on the server. As a first step, look up "taint mode" and turn it on!