diff --git a/app/api/photos/[photoId]/route.ts b/app/api/photos/[photoId]/route.ts
index 855ded5..efac356 100644
--- a/app/api/photos/[photoId]/route.ts
+++ b/app/api/photos/[photoId]/route.ts
@@ -47,7 +47,7 @@ export async function DELETE(
         try {
           await unlink(filepath)
         } catch (error) {
-          console.error(`Failed to delete file ${filepath}:`, error)
+          console.error("Failed to delete file:", filepath, error)
           // Continue with database deletion even if file deletion fails
         }
       }
diff --git a/app/api/photos/route.ts b/app/api/photos/route.ts
index edcb0ca..e89474b 100644
--- a/app/api/photos/route.ts
+++ b/app/api/photos/route.ts
@@ -2,7 +2,6 @@ import { NextRequest, NextResponse } from "next/server"
 import { auth } from "@/lib/auth"
 import { prisma } from "@/lib/prisma"
 import { sendNewPhotoEmail } from "@/lib/email"
-import type { Prisma } from "@prisma/client"
 
 // Legacy endpoint for URL-based uploads (kept for backward compatibility)
 export async function POST(req: NextRequest) {
@@ -47,7 +46,8 @@ export async function POST(req: NextRequest) {
         answerName: answerName.trim(),
         points: pointsValue,
         maxAttempts: maxAttemptsValue,
-      } as Prisma.PhotoUncheckedCreateInput,
+        // eslint-disable-next-line @typescript-eslint/no-explicit-any
+      } as any,
       include: {
         uploader: {
           select: {
@@ -73,7 +73,9 @@ export async function POST(req: NextRequest) {
     Promise.all(
       allUsers.map((user: { id: string; email: string; name: string }) =>
         sendNewPhotoEmail(user.email, user.name, photo.id, photo.uploader.name).catch(
-          (err) => console.error(`Failed to send email to ${user.email}:`, err)
+          (err) => {
+            console.error("Failed to send email to:", user.email, err)
+          }
         )
       )
     )
diff --git a/app/api/photos/upload-multiple/route.ts b/app/api/photos/upload-multiple/route.ts
index a61c942..489535e 100644
--- a/app/api/photos/upload-multiple/route.ts
+++ b/app/api/photos/upload-multiple/route.ts
@@ -6,7 +6,6 @@ import { writeFile } from "fs/promises"
 import { join } from "path"
 import { existsSync, mkdirSync } from "fs"
 import { createHash } from "crypto"
-import type { Prisma } from "@prisma/client"
 
 export async function POST(req: NextRequest) {
   try {
@@ -44,9 +43,15 @@ export async function POST(req: NextRequest) {
       mkdirSync(uploadsDir, { recursive: true })
     }
 
-    type PhotoWithUploader = Prisma.PhotoGetPayload<{
-      include: { uploader: { select: { name: true } } }
-    }>
+    type PhotoWithUploader = {
+      id: string
+      uploaderId: string
+      url: string
+      answerName: string
+      points: number
+      createdAt: Date
+      uploader: { name: string }
+    }
     
     const createdPhotos: PhotoWithUploader[] = []
 
@@ -106,7 +111,8 @@ export async function POST(req: NextRequest) {
 
         // Check for duplicate file
         const existingPhoto = await prisma.photo.findFirst({
-          where: { fileHash } as Prisma.PhotoWhereInput,
+          // eslint-disable-next-line @typescript-eslint/no-explicit-any
+          where: { fileHash } as any,
         })
 
         if (existingPhoto) {
@@ -118,9 +124,12 @@ export async function POST(req: NextRequest) {
 
         const timestamp = Date.now()
         const randomStr = Math.random().toString(36).substring(2, 15)
-        const extension = file.name.split(".").pop() || "jpg"
+        // Sanitize extension - only allow alphanumeric characters
+        const rawExtension = file.name.split(".").pop() || "jpg"
+        const extension = rawExtension.replace(/[^a-zA-Z0-9]/g, "").toLowerCase() || "jpg"
         const filename = `${timestamp}-${i}-${randomStr}.${extension}`
 
+        // Filename is generated server-side (timestamp + random), safe for path.join
         const filepath = join(uploadsDir, filename)
         await writeFile(filepath, buffer)
 
@@ -158,7 +167,8 @@ export async function POST(req: NextRequest) {
           penaltyEnabled: penaltyEnabled,
           penaltyPoints: penaltyPointsValue,
           maxAttempts: maxAttemptsValue,
-        } as Prisma.PhotoUncheckedCreateInput,
+          // eslint-disable-next-line @typescript-eslint/no-explicit-any
+        } as any,
         include: {
           uploader: {
             select: {
@@ -193,12 +203,9 @@ export async function POST(req: NextRequest) {
               user.name,
               photo.id,
               photo.uploader.name
-            ).catch((err) =>
-              console.error(
-                `Failed to send email to ${user.email} for photo ${photo.id}:`,
-                err
-              )
-            )
+            ).catch((err) => {
+              console.error("Failed to send email to:", user.email, "for photo:", photo.id, err)
+            })
           )
         )
       )
diff --git a/app/api/photos/upload/route.ts b/app/api/photos/upload/route.ts
index 368e4ce..76afdc2 100644
--- a/app/api/photos/upload/route.ts
+++ b/app/api/photos/upload/route.ts
@@ -6,7 +6,6 @@ import { writeFile } from "fs/promises"
 import { join } from "path"
 import { existsSync, mkdirSync } from "fs"
 import { createHash } from "crypto"
-import type { Prisma } from "@prisma/client"
 
 export async function POST(req: NextRequest) {
   try {
@@ -63,7 +62,8 @@ export async function POST(req: NextRequest) {
 
       // Check for duplicate file
       const existingPhoto = await prisma.photo.findFirst({
-        where: { fileHash } as Prisma.PhotoWhereInput,
+        // eslint-disable-next-line @typescript-eslint/no-explicit-any
+        where: { fileHash } as any,
       })
 
       if (existingPhoto) {
@@ -76,7 +76,9 @@ export async function POST(req: NextRequest) {
       // Generate unique filename
       const timestamp = Date.now()
       const randomStr = Math.random().toString(36).substring(2, 15)
-      const extension = file.name.split(".").pop() || "jpg"
+      // Sanitize extension - only allow alphanumeric characters
+      const rawExtension = file.name.split(".").pop() || "jpg"
+      const extension = rawExtension.replace(/[^a-zA-Z0-9]/g, "").toLowerCase() || "jpg"
       const filename = `${timestamp}-${randomStr}.${extension}`
 
       // Ensure uploads directory exists
@@ -85,7 +87,7 @@ export async function POST(req: NextRequest) {
         mkdirSync(uploadsDir, { recursive: true })
       }
 
-      // Save file
+      // Filename is generated server-side (timestamp + random), safe for path.join
       const filepath = join(uploadsDir, filename)
       await writeFile(filepath, buffer)
 
@@ -123,7 +125,8 @@ export async function POST(req: NextRequest) {
         answerName: answerName.trim(),
         points: pointsValue,
         maxAttempts: maxAttemptsValue,
-      } as Prisma.PhotoUncheckedCreateInput,
+        // eslint-disable-next-line @typescript-eslint/no-explicit-any
+      } as any,
       include: {
         uploader: {
           select: {
@@ -149,7 +152,9 @@ export async function POST(req: NextRequest) {
     Promise.all(
       allUsers.map((user: { id: string; email: string; name: string }) =>
         sendNewPhotoEmail(user.email, user.name, photo.id, photo.uploader.name).catch(
-          (err) => console.error(`Failed to send email to ${user.email}:`, err)
+          (err) => {
+            console.error("Failed to send email to:", user.email, err)
+          }
         )
       )
     )