Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.
Lots of things to do when doing file uploads. First of all and maybe most importantly, use is_uploaded_file() (move_uploaded_file() checks for that automatically, btw). Do you have a whitelist of files types you accept from the user? If so add in validation that checks for those types.
http://www.scanit.be/uploads/php-file-upload.pdf for starters
There are some issues with that paper, which I'm too lazy to write about yet, but it covers the basics and (hopefully) eliminates the most stupid mistakes one can make.