I have used that method in the past and it does work. I am yet to use it on a live site though. There are just so many security issues that you need to be aware of.

You need to make sure all files you allow users to upload. Just because something is an image file, does not mean it is only an image. There are so many ways if placing dangerous code within almost any file.

I am no expert on this, and I am hopeful that someone with more experience will join the thread.

Mack.

avoid gif files - they are dangerous (php code can be written inside them)
i found that jpg/jpeg/bmp are more secure in that way

pay attention to file names - allow only letters and numbers, avoid spaces and other special characters

limit size is mandatory - users tend to stick their camera/mobile/flash drive on their pc, select image and upload from there.

what will happen if a user deletes an image?
can he rename it? crop it? alter it? watermarked it?
are there unique urls per image?
take into cosideration seo approach on these issues.

for my tastes, i create a folder per user. All of his uploads end there (even the thumbs of his images)

Thanks guys,

First point definitely not gif images.
Secondo: all the images will be associated to different elements that are store in the database (elements like monuments, museum, religious building and some other type). Each element has a unique 10 chars string that I will use to generate the name of the images that I'm going to save in the server.
Most likely I'll set a 2MB limit and I will resize the image and save an original and a thumb ( the "original" will show up once you click on the thumb through something like lightbox or something like that). The thumb will have a fix length and width according if it is an horizontal or vertical image. The original I'll probably resize if the width and height are too big.
I'll have the control over the pictures that users will publish so I can automatically delete in case the picture is not proper.
What do you think? Any possible issues?

- Make sure the images have read only permissions once they've been moved to their permanent and publicly accessible location. Basically give it the least amount of permissions and no more.

- Preferably give it your own filename. Something like imagefile.php.apachedoesntknowthisextension can be parsed as PHP. At the very least sanitise/validate the file name.

- Have a look at client side technologies that can help shrink the image before it gets pushed to your server. People don't know that a 50MB file from their camera can be shrunk down to a more sane size with little loss in quality. "Uploadify" is a popular package that can accommodate this.

When I started my world in php I also had the same problem.
Its an endless search to know exactly how to do it.
You will need a script that will upload, resize and rename the images.

I eventually got hold of a script and adapted it to what I need by reverse engineering.
Let me know if you need sample script to do the same... It makes life so much easier!

If you use HTML5 you can resize the files using the File API before the upload thereby reducing the load on your hosting server.

See the following url for info:

[developer.mozilla.org...]