Kia ora team, just a general question for the developer types out there.

We have a little custom calendar 'app' we use to manage our civil teams who aren't, obviously, office-bound with easy PC access. It's HTML (with bootstrap for styling/responsiveness) with a PHP & MySQL back-end. The whole thing is behind a log-in.

I'm knocking together a basic web form they can use for near miss reporting so they can just jump on their phones and fill this out. I'd like to include a file upload field so they can take a photo and upload if required. I just wanted to sound off what I plan on doing and see if it's the "right" thing to do....

- User submit forms
- PHP to check file type, and if it's actually an image (apparently getimagesize() can be used to do that?)
- If file OK, rename with a unique ID (to avoid conflicting file names) and dump in to a folder in the web directory
- Create a DB entry (probably just do a separate table for them i guess?) with the UID/filename, and other appropriate info to index against the correct 'near miss report'

From there a "manager" will just get a notification a new report has been submitted, and they can jump on to a view a list of the reports and export a PDF of the report if required - hence the need to store the image.

Does that all sound OK? Anything else I should verify before letting the file to be uploaded to the script?

This isn't a "mission critical" type application. It runs on a VM that gets backed up daily, so I'm not overly concerned with security, but also don't want the pain of having to rebuild it just because of some dodgy file upload.