You need to first find out what the original extension was ;-)

To do that, the pathinfo function can do wonders ;-)

Quoting the example that's given in the manual :

$path_parts = pathinfo('/www/htdocs/index.html');
echo $path_parts['dirname'], "\n";
echo $path_parts['basename'], "\n";
echo $path_parts['extension'], "\n";
echo $path_parts['filename'], "\n"; // since PHP 5.2.0

Will give you :

/www/htdocs
index.html
html
index

As a sidenote, don't forget about security :

• In your case, you should escape $_POST[lastname], to make sure it only contains valid characters
  • And, BTW, you should use $_POST['lastname'] -- see Why is $foo[bar] wrong?
• You should also check that the file is an image
  • See mime_content_type for PHP < 5.3
  • And/or finfo_file for PHP >= 5.3

this code is insecure

move_uploaded_file($_FILES["picture"]["tmp_name"], "peopleimages/" . "$_POST[lastname]" . '_' . "$_POST[firstname]". $extension);

if

$_POST[firstname] =mypicture.php%00

and

$extension=.jpg;

this code is vulnerable and result is

test.php%00.jpg //test.php uploaded on server.

for more information check this link:

https://www.owasp.org/index.php/Unrestricted_File_Upload

You can try:

move_uploaded_file($_FILES["picture"]["tmp_name"], "peopleimages/" . "$_POST[lastname]" . '_' . "$_POST[firstname]".".".end(explode(".", $_FILES["picture"]["tmp_name"])))

or as Niels Bom suggested

$filename=$_FILES["picture"]["tmp_name"];
$extension=end(explode(".", $filename));
$newfilename="$_POST[lastname]" . '_' . "$_POST[firstname]".".".$extension;
move_uploaded_file($filename, "peopleimages/" .$newfilename);

First, find the extension:

$pos = strrpos($filename, '.');
if ($pos === false) 
{
    // file has no extension; do something special?
    $ext = "";
}
else
{
    // includes the period in the extension; do $pos + 1 if you don't want it
    $ext = substr($filename, $pos);
}

Then call your file anyhow you want, and append to the name the extension:

$newFilename = "foobar" . $ext;
move_uploaded_file($_FILES['picture']['tmp_name'], 'peopleimages/' . $newFilename);

EDIT Thinking of it, none of this is optimal. File extensions most often describe the file type, but this is not always the case. For instance, you could rename a .png file to a .jpg extension, and most applications would still detect it is as a png file. Other than that, certain OSes simply don't use file extensions to determine the type of a file.

With $_FILE uploads, you are also given a type element which represents the MIME type of the file you've received. If you can, I suggest you rely on it instead of on the given extension:

$imagetypes = array(
    'image/png' => '.png',
    'image/gif' => '.gif',
    'image/jpeg' => '.jpg',
    'image/bmp' => '.bmp');
$ext = $imagetypes[$_FILES['myfile']['type']];

You can have a more complete list of MIME types here.

move_uploaded_file($_FILES["picture"]["tmp_name"], "peopleimages/" . "$_POST[lastname]" . '_' . "$_POST[firstname]." . pathinfo($_FILES["picture"]["tmp_name"], PATHINFO_EXTENSION));

Dont forget if you are allowing people to upload arbitrary files, without checking the, extension, they can perfectly well upload a .php file and execute code on your server ;)

The .htaccess rules to deny php execution inside a certain folder is something like this (tailor for your setup)..

AddHandler cgi-script .php .pl .py .jsp .asp .htm .shtml .sh .cgi
Options -ExecCGI

Put this into a .htaccess file into the folder where you are uploading files.

Otherwise, just bear in mind that files may have more than one "." in them, and you should be golden.