Indeed, someone pointed out above $_FILES[x][‘type’] can be very easily and arbitrarily changed. Make sure you never rename anything .php or any other parsed/executed file such as .shtml … One way to avoid this is to always, when you serve the image back out to users, to use a single php script to serve them back and to use something like readfile() so the contents are never interpreted. Also, if you are only accepting images, you could use something as simple as getimagesize() to help validate that it is a real image. But once again, be wared, make sure that user uploaded contents can never be executed, specificially by uploading, and then accessing that uploaded file via their web browser. I am just making a point, I could imagine someone could take enough time to make a valid JPEG file that while it would parse via getimagesize() might contain harmful code if executed as .php. It’s a long shot, but you must be prepared for anything. 🙂

On the subject of other types of abuse, you could use simple filters such as each IP only gets X bytes or total uploads (or both) per hour/day. If they exceed that limit, then use a very reliable captcha system such as reCAPTCHA. That way you never miss a legitimate request and abuse should be at a bare minimum, while not forcing every single image upload to go through a captcha.

Additionally, remember do NOT take precedence of X-FORWARDED-FOR. I have actually seen code like this:

if(isset($_SERVER['HTTP_X_FORWARDED_FOR'])) { 
  $ip = $_SERVER['HTTP_X_FORWARDED_FOR'];
} else { 
  $ip = $_SERVER['REMOTE_ADDR'];
}

This is extremely wrong. X-FORWARDED-FOR can be sent by a forwarding proxy server, if it feels like it. It can also be sent by absolutely anything and everything else to trick fools into thinking their IP is something that is actually not.

As long as you use REMOTE_ADDR in combination with HTTP_X_FORWARED_FOR (and never trust HTTP_X_FORWARDED_FOR, only use it for a secondary reference), .. the chances of actual IP spoofing is next to nothing.