On some badly configured Nginx servers the filename extension isn't parsed correctly. A php.jpg file will be executed as php because a badly written regex will match the .php.
Even if you don't have such vulnerabilities you probably don't want people to be able to upload images to your server. They could easily send you over quota on shared hosting and use your bandwidth for serving their own images (including child porn).
On a CubeCart pluggin that had the same flaw as the timthumb.php one, I whitelisted image file extensions. This should work, as long as there aren't and local file include vulnerabilities in the site.
This still allows the attacker to host images on your site though.
For most purposes, this would work. If you want to be extra safe, you can call getimagesize() on the file - this returns among other things the actual mime type of the file, allowing you to exclude anything but real image files.
