MIME type can be faked.
VVV
$_FILES['userfile']['type']
The mime type of the file, if the browser provided this information. An example would be "image/gif". This mime type is however not checked on the PHP side and therefore don't take its value for granted.
http://www.php.net/manual/en/features.file-upload.post-method.php
[Editor's note: removed a reference to a deleted note, and edited the note to make sense by itself.]