Your code is extremely unsecure besides being wrong.
1. (wrong) filesize() and readfile() want a local file name, not a URL. Technically, only filesize() does, but in reality you should just fix $fullpath
2. (unsecure) Uploaded files, especially if served by a proxy script like the current one, should reside above the web root, in a folder that is unaccessible from HTTP. If you don't have one, use .htaccess to disable HTTP requests to that folder.
3. (unsecure) Your script allows an attacker to manipulate $filename and $format and download any file on the system that the PHP/Apache user has access to. That is, it would have been possible if the script weren't buggy
