On http://www.w3schools.com/php/php_file_upload.asp in the "Restrictions on Upload" section, they are relying on $_FILES["file"]["type"] to determine the file type, making it appear safe. This is far from the truth, however, as $_FILES["file"]["type"] contains the MIME type provided by the client browser. By forging the Content-Type header in the HTTP request to contain one of the whitelisted types, you can upload any file to the server. This means that you can upload and most likely execute e.g. PHP scripts, with potentially devastating results.
Please fork the repo or use GitHub’s Fork&Edit (see the GH blog) and add it in.
Thanks Kwpolska. :)
what he said ^_^
also w3schools now has a handy bug reporting form at the button.. you should also say this there.
We have decided to not handle server-side technology sections on W3fools.