Like someone else said, compare the file extention to a whitelist. (assuming they uploaded a file via PHP).
$ext_whitelist = array('gif', 'jpeg', 'png');
$path = '/path/to/myScript.php' ;
$file_ext = strtolower(pathinfo($path, PATHINFO_EXTENSION));
if (! in_array($file_ext, $ext_whitelist) {
// invalid
}
And when you move the file from the uploaded folder to a permanent folder, it's a good idea to rename the file slightly, prepend some random characters onto the end before the file extension. Hackers can't run the file easily if they don't know where you put it and what you renamed it too.
CR