Your script is vulnerable to an arbitrary file upload attack. A malicious user can get around the MIME type check simply by spoofing the MIME type in the POST data. This is further compounded as you do not check the file extension properly. Thus, an attacker can upload a .php script (or really, anything) to the web server so long as the MIME type meets the validation requirements.