[eluser]Bramme[/eluser]
"different clients will be able to access each other’s files, through the disabled basedir restriction on the CMS account. "
I'd just dynamically make subfolders for every users uploads and then let them only access their folder... Hardcode the folder uri in your cms, protect the actual dirs with a .htaccess and I think your set for that problem.
As for the php scripts: I guess you could scan for php and text files, read them into a variable and scan that variable for possible malicious code. If you found something, first display a warning "Caution: your file might contain malicious code, if anything bad happens to your site you are completely responsible". Then if they press "Okay, upload anyway", you move the uploaded file to their dir and keep it there. If they select "don't upload" you offcourse destroy the file...
Also, what I just thought off: if your users can upload css files, make sure the frontend of your application has a securely set mysql user, that can only do a select few queries and only access their own table.
