You don’t say where this code is running – for users or just for admins. Here are a few tips, taken heavily from this article on Wordfence.
The first check you can run is current_user_can to see if the current user is allowed to upload files using:
if(current_user_can('upload_files')) { ....
Next you can use wp_check_filetype to see if it’s a valid extension.
$fileInfo = wp_check_filetype(basename($_FILES['haq_slider']['name']));
if (!empty($fileInfo['ext'])) {
// This file is valid
} else {
// Invalid file
}
The final test that Wordfence suggest is a call to PHPs getimagesize which will return FALSE
if it fails to read a valid image file.
if (!@getimagesize($_FILES['haq_slider']['tmp_name']))
wp_die(__('An invalid image was supplied.'));