Null Byte Injection
Extension check passed: images/../../../etc/passwd .jpg
File not found. But if this were PHP < 5.3.4, null byte would work!
This simulates what happens with null byte:
String before null byte: ../../../etc/passwd
Extension checked: passwd .jpg (ends with .jpg ✓)
Actual file opened: images/../../../etc/passwd
Null Byte Test
Old PHP versions (< 5.3.4) truncate strings at null byte (%00).
The extension check sees .jpg but the OS opens file.php
Test payloads: