Nor should any directory within your web tree have permissions sufficient for an upload to succeed, on a shared server.
Any other user file flirten that shared server could write a PHP script to dump anything they want in there! Browsers aren't consistent in their mime-types, so you'll never catch all the possible combinations of types for any given file format.
It can be forged, so it's crappy security anyway. File flirten example, images can quickly and easily be run through imagegetsize and you at least know the first N bytes LOOK like an image.
That doesn't guarantee it's a valid image, but it makes it much less likely to be a workable security breaching file. One should move the uploaded file to some staging directory.
Then you check out its contents as thoroughly file flirten you can. THEN, if it seems kosher, move it into a directory outside your web tree.
Any access to that file flirten should be through a PHP script which reads the file. Putting it into your web tree, even with all the checks you can think of, is just too dangerous, imnsho. There are more than a few User Contributed notes here with naive bad advice.