This looks pretty safe.
To further increase security you could use finfo_open to let PHP determine the mime type of the uploaded file, instead of relying on what the browser sent to PHP.
If you really want to go all out you could let GD open the image and save it again, which should remove all possible malicious code encoded in the image (believe me, it’s possible).
You could upload a php file with a crafted header and it’ll sail through.
Also, even if you extend it to test for mime type, this can also be bypassed by a file padded with fake data to mimic the header of an allowed filetype.
You should at least force the file extension to a safe one so that even if a malicious file does get uploaded, it cannot be activated directly.
As east Coast said it isn’t safe, I’ve been hacked before by a file uploded as an .flv file and when I tried to open that file in wordpad it’s a perfect php script. One way to combat this is to change the filename most preferably a random filename upon upload so the hacker can’t access his file.
Hidden Directory?? I don’t know if you can actually hide a directory. Do you mean a directory within the root of the server… outside public_html? Well I guess thats also good as the uploaded file can’t be access via http