Its a good way to allways rename uploaded files using something like a MD5-hash and store the original filename in a database. If for some reason you dont want to rename it using a hash, you should filter the filename using some code like this one:

$filename = strip_tags($_FILES["upload"]["name"]); $filename = str_replace(array('|','<','>','"','\'',':','\','/','*','?'),'',$filename);

It's a good idea to deny the execution of all uploaded files: place a .htaccess file in your upload-directory:

RemoveHandler .cgi .shtm .shtml RemoveType .php .php3 .php4 .php5

deny from all

order deny,allow deny from all