VB didn't check for extension of file upload? :|
wow… just wow.
In this case checking the extension would work, as it'd have to be *.php to be executed by the webserver. But more generally, you want to verify that the file is actually of the type the extension claims it to be. This can be done quickly with magic numbers; if you have the unix program file (either in Linux or OSX), you can run it on various files to see what types they are, and this works even if you change the extension.
For something as important as taking uploads that will be publicly available, you will probably want to verify that a particular image actually contains valid image data; there's a certain layout that image file formats have, with tables and various headers with sizes and offsets, and you can make sure that an image is really an image and not some kind of crafted file that exploits image display libraries.