All of the code in your question can be replaced with:
require_once( ABSPATH . 'wp-admin/includes/image.php' );
require_once( ABSPATH . 'wp-admin/includes/file.php' );
require_once( ABSPATH . 'wp-admin/includes/media.php' );
if ( $_FILES ) {
foreach ($_FILES as $file => $array) {
$image_post_id = media_handler_upload( $file );
if ( is_wp_error( $image_post_id ) ) {
$error .= $image_post_id->get_error_message();
} else {
// $image_post_id now holds the post ID of an attachment that is your uploaded file
}
}
}
The power of media_handle_upload means that now you have now completely outsourced your security, checking, and uploading to WordPress Core. media_handle_upload will be maintained long after you’ve finished your project, by people who are far smarter than either of us, and other people with a vested interest in keeping WordPress secure.
media_handle_upload will do all of the checking you get when you upload things via the dashboard, and will create attachment posts to represent these uploaded files in the database. It will also handle the creation of different image sizes, and compatibility with plugins, and respect the security settings specified in the dashboard.
If successful, it will return the ID of the attachment post it created. If unsuccessful, it will return a WP_Error object with an error message.
You can then use wp_get_attachment_url if you need the full URL of the attachment, or wp_get_attachment_image_src if you need to get a particular size for the image, e.g.:
$image = wp_get_attachment_image_src( $image_post_id, 'thumbnail' );
if ( $image != false ) {
echo $image[0];
}