Its a good way to allways rename uploaded files using something like a MD5-hash and store the original filename in a database.
If for some reason you dont want to rename it using a hash, you should filter the filename using some code like this one:
$filename = strip_tags($_FILES["upload"]["name"]);
$filename = str_replace(array('|','<','>','"','\'',':','\\','/','*','?'),'',$filename);
It's a good idea to deny the execution of all uploaded files: place a .htaccess file in your upload-directory:
RemoveHandler .cgi .shtm .shtml RemoveType .php .php3 .php4 .php5deny from all order deny,allow deny from all
