Totally agree with the accepted answer,
but I would suggest that do alittle bit more than just playing around with file name. You should re-compress the original/uploaded file with php using GD or Imagick and use the new image. This way you destroy any injected code(well to be honest 90% of the times, there are ways to make the code survive the compression but its alot of work).
Also you could use .htaccess files to prevent the upload directory running php code(i don't know about IIS there is probably an equivalent .webconfig )
<FilesMatch \.php$> SetHandler application/x-httpd-php </FilesMatch> this way the uploaded file will be executed only if the "final extension" is php, so image.php.jpg will not be executed
some resources: