I don't understand; why are you getting them to email you an image and you move it for them? You can simply provide them with the form to perform the upload with; HTML only needs to provide an <input type="file" name="x"/> on it in order to allow an upload.
For security, you then validate the input data. Check the upload status error against UPLOAD_ERR_OK to verify that its successful in upload. You then check the mimetype from the file. Finally, if you allow only images, you can read the binary file from the image, and simply provide that to the gd's imagecreatefromstring() function. If it returns a valid resource, the image is actually an image and not simply an executable mascaraing as one. Alternatively, parse the file yourself and verify the image header compared to the declared type (also in the header). This route takes more practice and knowledge of the definition of the file or knowledge on how to interpret them. Wiki should have lots of information on that, or at least links to the originating site that controls the structure.
When verified move the file above the public_html directory. This will prevent direct access to the file. Preferrably in a directory with a umask excluding the execute, or direct chmod of even just read all is sufficient.
Finally, you load it by writing a new script. This script's job is to take an id, compare that to your database to get the save path of the image, read the image data in (simple fread or even file_get_contents would probably do the trick [I find fopen to fpassthru is easiest]), while serving the proper header for the file. So in the DB, you'll need to store at minimum an id for it, a filepath for it (or partial), and finally a mimetype for it.
You then access this script as if it were an image.
<img src="myimages.php?id=mydbid" alt="An image."/>, and it'll serve just as a standard image.
header('HTTP/1.1 420 Enhance Your Calm');