Do I have to filter an input that allows uploading files?

[pneudralics]

How should I filter it or do I need to since it gets turned into a new name anyways? Are there any security issues with my below code?

 

if (isset($_POST['submit'])) {

//Start image upload
//Check for an image make new name with md5
$newname = md5($idsession*time()*rand(1,99999).$_FILES['signs']['name']);
$newname2 = $newname.'.gif';
$title = mysql_real_escape_string(htmlentities(strip_tags(trim($_POST['title']))));
$categoryname = mysql_real_escape_string(htmlentities(strip_tags(trim($_POST['category']))));

if ( !empty ($_POST['signs']) && !empty ($title) && !empty ($categoryname) ) {
if (move_uploaded_file ($_FILES['signs']['tmp_name'], "$tempfoldersigns\\"."$newname2")) {
	//Begin database insert
	if ( !empty ($newname2) ) {
		$insertsigns = "INSERT INTO temp (userid,type,title,category,image,timestamp) VALUES (\"$idsession\",'Signs',\"$title\",\"$categoryname\",\"$newname2\", NOW())";
		$insertsignsresult = mysql_query ($insertsigns);
		//echo '<font color="red">Database added successfully!</font><br />';
		echo '<font color="red">Sign uploaded successfully!</font><br />';	
	}
	else {
	echo '<font color="red">There is a problem with the database.</font><br />';	
	}//End database insert	
}
else {
echo '<font color="red">Sign did not upload.</font><br />';
}
}
else {
echo '<font color="red">Field is blank.</font><br />';
}

}//End isset submit

[Potatis]

 

$title = mysql_real_escape_string(htmlentities(strip_tags(trim($_POST['title']))));
$categoryname = mysql_real_escape_string(htmlentities(strip_tags(trim($_POST['category']))));

 

Man, I don't think anything can get through that.