well restrict the normal user to upload any php file on the website check the extention of the file and also restict the upload to a specific folder, and name the folder with some unknown names dont ever name the folder where u are uploading files as "uploads"
and try to block these folders...