Of course, you can limit by file extension, but it's not safe. You can try rename a gif-file and upload it. A little bit safer is using mime-type to detect file type (but still no guarantee). Look at:
How do I find the mime-type of a file with php?
I think more safer is trying to get size of image or if convert to another image type is successful.
