The logic behind will be to first check the input before allowing it to reach your server :)
if not upon your standards then exit();
as you mentioned you could check for size, type of content, disallow via regex many signs like WebmasterWorld disallow for ¦¦ (see how it looks when “cleaned”)
I personally disallow also for any type of brackets, slashes and more…
You could load their IP and disallow multi-loads from same IP, or allow from same IP upon a rule such as one upload every 30 secs.
If you are concerned with many users uploading at the same time
Create a few temp dir and if dir1 is busy redirect to dir2 etc

Hi, look at the ini setting "upload_max_filesize" which ensures no file larger than its value can be uploaded.

There's also the value MAX_FILE_SIZE which can be set in a hidden field in your form, but since it can be spoofed you can't rely on that to prevent DoS attacks.

Thanks Guys, that was lots of help, i understand the process much better now thankyou.

file_uploads
upload_max_filesize
max_input_time
memory_limit
max_execution_time
post_max_size