BTW, just because a user says that the file is a .jpg does not mean it is a .jpg. There are a couple of XSS exploits based on this, because some browsers will look at what they get, figure it out, and do the appropriate thing ("oh look, this Javascript is called .jpg, but it's really a script, so I'll execute it. Oops.")

To steal from House, "users always lie". Validate the file you get in the upload and process it accordingly instead of trusting that the file is what it says it is. (edit: typo.)