There has been a lot of topics on the security of image uploads, but firstly it is permission of the directory 644
should do. Next you need to take care of the name, as suggested in the comments timestamp is fairly good way to go, however it must be combined with some randomly generated values (or use timestamp including milliseconds), however if you need to give the images a meaningful name, you must sanitize the user supplied name, filter out null bytes, directory traversals and other dangerous characters (I would whitelist and limit length of the image name, or randomly generate a string).
Rather than putting the image outside the web root, I prefer to use .htaccess
with option php_flag engine off
in it, to switch off any php execution in the directory. Also putting the images outside the web root makes them directly inaccessible, so you won't be able to use them in <img>
tag, unless you use a PHP script to serve the image (which is a fairly secure method, if implemented correctly).
Lastly you want to check if a valid image is being uploaded, commonly the GD
library is used, specifically the getimagesize
, which will return image size only if a valid image is uploaded.
Also check this topic on security of image uploads.