Maybe. It is necessary to check the "body" of the file for the correctness of the fact that this is exactly the image file. Trite - try to get the size of the image using functions for the programming language used.
For example, for PHP: GD library function getimagesize() .
Also, you need to prevent the launch of everything in a row from storage folders!
For understanding, do a Google search (with quotes!):

"Надежная защита веб-сайта от большинства видов атак"

and read the 1st link.
------------------------------------------------- I'll
add also, what can be initially saved to the "sump" / "storage" - a directory above webroot and inaccessible from the outside (i.e. the web server will not be able to return the contents of the file or make it run).
Further, 2 options:
1. If this is a "sump" - we check and move it where necessary
2. If it is a "storage" - we check and leave it there, then we read it with web server scripts directly from that directory.

Not only can, but will certainly do so, if he is given such an opportunity;)

Above xmoonlight and CityCat4 have already said everything.
I just want to add that in the directory where "for example pictures" are loaded, it should be forbidden to start anything, both at the php level and the system itself.

Maybe. It is necessary to check everything in the file - extension, type. It works in such a way that it first loads the photo file, then looks from where this picture began to open, loads the php file, for example, with the command to delete everything in this folder, a folder above or something else and types its address in the browser, like this launching it.
Also, for protection, it would be nice to prohibit the execution of any files in the photo directory, for example, using htaccess