how to be secure with file uploads...

[eluser]jedd[/eluser]
On a *nix system, change permissions to 770 for the directory, and 660 for all files therein (assuming owner and group are sensible).

I'd use UUID as the filename, and have a mapping in my files table back to the original filename. This means you can have a single directory containing all files (if you have a broken file system you can easily map that down to first four chars of the UUID, say, as sub-directories). md5sum is slightly more expensive than UUID, but my bigger concern there is it breaks if you offer your users the option to replace extant files. With UUID they keep the same identifier, with MD5 they will change. Of course, you may in fact prefer the latter approach.

For security I'd just put my file store outside of the web root - this seems a lot easier than wrapping lumps of code around the problem. If you want it in the web root (and really, that's what I end up doing just for portability's sake) stick an empty index.html in that directory and you're pretty much set. The only filenames they can pick (using the UUID method above) are ones that they've already been exposed to, and presumably you don't mind users accessing files that they've previously been allowed to access.