Alright, I'm convinced you guys know everything so I figure this is a good place to start.
How do I make sure secure file uploads can be done with PHP?
Immediate joke answer : Don't use PHP.
Ha, ha, ha, ha!
Now that that's out of the way, for real, how do I do this?
I've heard using any of the PHP $_FILE stuff is useless because the client can fake it all.
Some of the tips I've seen are, move uploaded files to outside of the web root. I'm on Ubuntu so my web root is /var/www/. I've heard I should instead upload files to some random other file not contained by /var/www. Sounds fair enough.
I've also heard that you should use a randomly generate filename and serve the requested uploaded documents using a script file that I've defined.
Are these good tips? Is there anything I should be aware of? I've heard that checking MIME types can be tricked and apparently, JPGs are like the most threatening thing in the entire world.
Edit :
I do have a whitelist of file types I want to allow too.
For example, XML, all images except GIF, DITA, DITAMAP and I think that's about it.
I've seen that one should use a database to map the random name to the "real" name of the file. This way I can write a separate script that can ping the database for the randomly generated filename and display the "real" name.