I did the same upload form for photo uploading like here. Is it everything I can do to protect my website or I need to add something? Thank you very much.
I'd say no. There are checks in there for restricting the type of the file being uploaded:
if ((($_FILES["file"]["type"] == "image/gif")
|| ($_FILES["file"]["type"] == "image/jpeg")
|| ($_FILES["file"]["type"] == "image/pjpeg"))
....
That "type" is provided by the browser and can't be relied on for security purposes. Someone could easily hack something together that sent an executable file with a type of "image/gif" and the script would happily accept it.
A better check would be to use something like getimagesize or one of the other GD functions to verify that it is actually an image.