Manuel Lemos from phpClasses.org has written an excellent post about about the risks when allowing users to upload images. It’s not something I’ve done alot but lets say you have a generated image such as this one – with a .php extension. I could upload it to your server and have it served from there – not much use to me because it would fail to update.
The next guy, however, might be uploading a malicious script that might take over your server, send spam etc.
Read his post here: PHP security exploit with GIF images