// Created on savesnippets.com · https://savesnippets.com/5FnvxynvCDuKMS
<?php
function detectMime(string $path): string {
    if (!is_file($path)) throw new RuntimeException("$path is not a file");
    $finfo = new finfo(FILEINFO_MIME_TYPE);
    $mime  = $finfo->file($path);
    if ($mime === false) throw new RuntimeException('MIME detection failed');
    return $mime;
}

function isImageUpload(string $path): bool {
    $allowed = ['image/jpeg', 'image/png', 'image/gif', 'image/webp'];
    return in_array(detectMime($path), $allowed, true);
}

// User says "it's a .png" — we verify by looking at the bytes.
if (!isImageUpload($_FILES['avatar']['tmp_name'])) {
    http_response_code(415);
    exit('Only JPEG/PNG/GIF/WebP allowed');
}