File upload security

This applies to both PHPRunner and ASPRunner.NET.

The question our customers ask sometimes is as follows:
what would happen if the hacker renames .php or .js to PNG or PDF and upload it to the web server. Is this a security risk and how to avoid it?

The short answer is No, this is not a security risk. PNG or PDF files will not be executed by the web server and can be only downloaded back.

As an additional security measure it is recommended to store uploaded files outside of web server root folder, so they cannot be executed via web browser. You can find more info here:
https://xlinesoft.com/blog/2021/06/17/secure-low-code-web-applications/

If you need to make sure that only real PNG, GIF, JPEG, PDF etc files can be uploaded, that can be done too, though it doesn't improve the security one bit. If your client insists on such measures, you can use events like AfterAdd/AfterEdit to examine file content and delete it if it doesn't validate as a real PNG or PDF file. The following articles can help:
http://www.libpng.org/pub/png/spec/1.2/PNG-Structure.html
https://medium.com/@jberkenbilt/the-structure-of-a-pdf-file-6f08114a58f6