I know that only checking the file extension is not enough to make sure the file that was uploaded is really that type of file. But if uploaded files would be handled according to their extension, would that still make an attack possible?
User uploads .jpg/.gif/.png file full of valid php code. But because these are supposed to be images, I only call them using src="". Would that still leave holes uncovered?