how secure? (file upload script)

[traq]

I have a question:
I'm working on a script to upload files to a site.
How secure would you consider this to be, both in terms of the file type (in this case, jpg, gif, and png images only) and of user permission (the password)?

PHP Code:

<?php
session_start();
if(!isset($_POST['upload'])) {
    echo '
        <form name="upload" enctype="multipart/form-data" method="POST" action="'.$_SERVER['REQUEST_URI'].'">
        File to Upload: <input type="file" name="file" size="13" value="">
        Enter Password: <input type="password" name="pass">
        <input type="submit" name="upload" value="Upload">
        </form>
        ';
} else {
    $pass = $_POST['pass'];
    if ($pass == "secret") {
        $ok = array('image/gif', 'image/jpeg', 'image/jpg', 'image/png');
        $typeok = false;
        foreach($ok as $type){
            if ($type == $_FILES['file']['type']){
                $typeok = true;
                break;
            }
        }
        if ($typeok) {
            $uploadpath = 'uploads/';
            $filename = $_FILES['file']['name'];
            $filesize = $_FILES['file']['size'];
            $tmpname_file = $_FILES['file']['tmp_name'];
            if($filesize > '5000000') {
                echo "File is too large";
            } else {
                if(move_uploaded_file($tmpname_file, "$uploadpath$filename")) {
                    echo "Successful upload to: ".$uploadpath.$filename."<br>
                        <img src=\"".$uploadpath.$filename."\">";
                } else {
                    echo "Upload Failed";
                }
            }
        }
    } else {
        echo "Incorrect Password";
    }
  }
?>

[forum_amnesiac]

Depends on the number of people who will use it, if you have many people and one password then the risk of password 'leakage' is higher.

I prefer to have a password table in which I keep name and password.

This way everybody can have a unique password and you can create a password protected function to regularly update the passwords.

If it is for a single user, then I think it is reasonably secure

[traq]

yes, it's just for a single user.
(Actually, it's just an experiment. Next, I'm working on pulling user/password combinations from a database. With this script -with the password actually in the script- I've already found a way to get it; by storing the password in a database I think it'll be harder.)
Is the mime/type check fairly certain? How possible would it be to bypass and upload a file I didn't want?