Recently, I have became involved in PHP/MySQL web development. I have decided to take on a small project to better my understaning of the subject by programming a threaded discussion forum. I am designing it to be simple, with relatively few features, but there is one feature I would like to include. This is to have a user be able to upload an avatar via HTTP Uploading. My question here is wouldn't a file upload script be vulnerable to injection based attacks? Wouldn't something like that allow execution of php or html code? Even injecting MySQL commands into the upload field? Are there any techniques available to stop malicous use of this kind of script? If so, I'd appreciate any replies. I have found a few articles on this on multiple search engines, but nothing as detailed as I am looking for.