First do a var_dump on the $_FILES variable to check if the array key you are using is the correct one, and you should never just grab a variable that comes from user input and just use it, try doing a isset or empty before you use the variable.
After you found what is the key you will use wp_check_filetype because it will give safer data about the file, you will have to do 2 in_array to check if both the mimetype of the file and the extension belongs to the set you are allowing the user to upload, if not throw the user an message. Exemple of in_array:
$extention = 'doc';
$allowed_extensions = array( 'doc', 'docx', 'pdf' );
$mime="text/javascript";
$allowed_mime = array( 'application/msword', 'application/vnd.openxmlformats-officedocument.wordprocessingml.document', 'application/vnd.ms-word.document.macroEnabled.12' );
if ( ! in_array( $extension, $allowed_extensions ) ){
return false;
}
if ( ! in_array( $mime, $allowed_mime ) ){
return false;
}
If you want to check for file size, you can use check_upload_size, which is also a WordPress method that uses the site upload limit as a guide.