Suppose that our web-hosting is linux and php is installed:
1- What could be the worst that happens when a php code can be uploaded instead of an image.
2- Can the intruder somehow retrieve my database password ? suppose that the directory on which images get stored has 777 file permissions.
3- What if when the image directory has 644 permission?
The answer to my question can be combined with the ones given to these two: Security: How to validate image file uploads? and Security issues in accepting image uploads
Worst case: Intruder can execute arbitrary PHP code, maybe even arbitrary code on the server. If the attacker is clever enough while the sysadmins aren’t, he might even own the whole server/subnet/network/…
If the attacker can execute PHP code (which of course depends on your security measures), he can definitely read files from the current user, so the answer is most probably yes.
Unless you use PHP in CGI mode, the execute bit shouldn’t be necessary for the webserver to execute a script, so that alone doesn’t help.
Of course those are not the questions you should ask. The question you should ask is how to prevent an attacker from uploading an executable PHP file in the first place. My answer to that is that you should check the file extension against a white list and drop everything else, for example: