As well as performing a check to see if the data is an image (with exif_imagetype), I now also strip off any file extension that is not in
('jpg','jpeg','png','gif','bmp','ico')
Safe extensions are added back onto hashed file names generated from files with parameters, so other programs can still see them as images.