Take this standard file upload form:

<FORM ENCTYPE="multipart/form-data" ACTION="upload.php" METHOD=POST>
<INPUT TYPE="hidden" name="MAX_FILE_SIZE" value="100000">
Send this file: <INPUT NAME="myfile" TYPE="file">
<INPUT TYPE="submit" VALUE="Send File">
</FORM>
The correct way to put the uploaded file in the right place:

<?php
    /* Not under DOCUMENT_ROOT */
    $destination = "/some/path/$myfile_name";  

    move_uploaded_file($myfile, $destination);
?>
If you are uploading files to be placed somewhere under the DOCUMENT_ROOT then you need to be very paranoid in checking what you are putting there. For example, you wouldn't want to let people upload arbitrary PHP scripts that they can then browse to in order to execute them. Here we get paranoid about checking that only image files can be uploaded. We even look at the contents of the file and ensure that the file extension matches the content. 

<?php
    $type = $HTTP_POST_FILES['myfile']['type'];
    $file = $HTTP_POST_FILES['myfile']['tmp_name'];
    $name = $HTTP_POST_FILES['myfile']['name'];
    $types = array(0,'.gif','.jpg','.png','.swf');
    list(,,$type) = getimagesize($file);
    if($type) {
        $name = substr($name,0,strrpos($str,'.'));    
        $name .= $types[$type];
    }    
    move_uploaded_file($myfile, "$DOCUMENT_ROOT/images/$name");
?>