as long as you rename with your own file name and extension, and have no include type vulnerabilities in your apps code (ie: include($_GET['whatever']);), this is fairly good. you will also want to make sure everything on your server stack is the latest version (especially anything that processes images/video).

others would recommend including a file serving script which outputs the file, instead of keeping the file in a public folder and referencing the file directly in your src attributes. some would also recommend virus scanning everything.

I can also recommend the followings:

1. is_uploaded_file Returns TRUE if the file named by filename was uploaded via HTTP POST. This is useful to help ensure that a malicious user hasn't tried to trick the script into working on files upon which it should not be working--for instance, /etc/passwd.This sort of check is especially important if there is any chance that anything done with uploaded files could reveal their contents to the user, or even to other users on the same system.

2. basename() function to get only file name such as basename(c:/fakepath/something.avi); // will return something.avi since some people try to deceive the computer by giving directory-alike file names.

More about basename():

When you upload a file, you want to move a file to the directory you want for example under /uploads/ folder and but a malicious user can name the file such as something/hello.jpg and then when you move the file with move_uploaded_file($source,$destionation) your $destination would be /uploads/something/hello.jpg and that causes problems. To ensure you got only the proper file name you need to use basename() function which returns hello.jpg and so on.

$file_name = basename($_FILES["upload_ctrl"]["name"]);
if(!move_uploaded_file($_FILES["upload_ctrl"]["tmp_name"],"uploads/".$file_name))
    echo "Opps I cannot upload the file";

For usage of basename visit here: http://php.net/manual/en/function.basename.php