Repeat after me: never trust user input.
The PHP manual also warns for this value:
The mime type of the file, if the browser provided this information. An example would be “image/gif” . This mime type is however not checked on the PHP side and therefore don’t take its value for granted.
– https://secure.php.net/manual/en/features.file-upload.post-method.php
Honestly, PHP would be a lot better off if it did not provide this value in the array