I noticed huge bug on a server which allows to upload any file (including *.php) and then execute it! It's terrible! I don't know whether I should prevent uploading *.php files or disable their execution in php.ini (which I don't know how to do)
If you uses Apache server, try to place into target directory file .htaccess containing string php_flag engine off. This will block execution of any file as php script for this directory and all subdirectories. Also prevent uploading any file with filename starting with "."
You can put your uploaded files outside the web root.
Also, you can set IIS to deny uploading PHP files: IIS 8.5 deny PHP upload
Also, you can set the upload folder's permission to disallow executing files inside it.
Also, you can check the files which are being uploaded for their type: http://php.net/manual/ro/function.mime-content-type.php
You can also set the permission to read/write, but not to execute.