Holy cow, I was way off! Thanks very much for the link.
From reading the links provided, I’ve altered the options of the upload class. First, I’m converting everything to a jpg(it’s an avatar upload system). Also, I’ve disabled overwriting. The filename becomes the user’s ID with microtime appended, so there should never be conflicting names but if there is, the upload class automatically renames. I did move the .htaccess file back from the parent directory to the upload directory, since (if I’m reading it write), the file is now protected from being overwritten. I did this so I could restrict everything but .jpg, which the script is converting all uploads to.
Does this seem like I’ve done my due diligence or am I still missing something ( or more likely, messing a step up)?
Here’s the htaccess file, as I’ve modified it:
# Don't list directory contents
IndexIgnore *
# Disable script execution
AddHandler cgi-script .php .php2 .php3 .php4 .php5 .php6 .php7 .php8 .pl .py .js .jsp .asp .htm .html .shtml .sh .cgi
Options -ExecCGI -Indexes
# Only allow access to this directory if they are coming from your domain; excluding you, your server, Google and any other IPs
RewriteEngine On
RewriteCond %{REMOTE_ADDR} !^(70\\.197\\.161\\.80)
RewriteCond %{HTTP_HOST} !^(127\\.0\\.0\\.0|localhost) [NC]
RewriteCond %{HTTP_REFERER} !^https?://(.+\\.)?schw\\.im/ [NC]
RewriteRule .* http://schw.im/ [L]
# Secure php.ini and .htaccess
RewriteRule ^(php\\.ini|\\.htaccess) - [NC,F]
# Block shell uploaders, htshells, and other baddies
RewriteCond %{REQUEST_URI} ((php|my|bypass)?shell|remview.*|phpremoteview.*|sshphp.*|pcom|nstview.*|c99|c100|r57|webadmin.*|phpget.*|phpwriter.*|fileditor.*|locus7.*|storm7.*)\\.(p?s?x?htm?l?|txt|aspx?|cfml?|cgi|pl|php[3-9]{0,1}|jsp?|sql|xml) [NC,OR]
RewriteCond %{REQUEST_URI} (\\.exe|\\.php\\?act=|\\.tar|_vti|afilter=|algeria\\.php|chbd|chmod|cmd|command|db_query|download_file|echo|edit_file|eval|evil_root|exploit|find_text|fopen|fsbuff|fwrite|friends_links\\.|ftp|gofile|grab|grep|htshell|\\ -dump|logname|lynx|mail_file|md5|mkdir|mkfile|mkmode|MSOffice|muieblackcat|mysql|owssvr\\.dll|passthru|popen|proc_open|processes|pwd|rmdir|root|safe0ver|search_text|selfremove|setup\\.php|shell|ShellAdresi\\.TXT|spicon|sql|ssh|system|telnet|trojan|typo3|uname|unzip|w00tw00t|whoami|xampp) [NC,OR]
RewriteCond %{QUERY_STRING} (\\.exe|\\.tar|act=|afilter=|alter|benchmark|chbd|chmod|cmd|command|cast|char|concat|convert|create|db_query|declare|delete|download_file|drop|edit_file|encode|environ|eval|exec|exploit|find_text|fsbuff|ftp|friends_links\\.|globals|gofile|grab|insert|localhost|logname|loopback|mail_file|md5|meta|mkdir|mkfile|mkmode|mosconfig|muieblackcat|mysql|order|passthru|popen|proc_open|processes|pwd|request|rmdir|root|scanner|script|search_text|select|selfremove|set|shell|sql|sp_executesql|spicon|ssh|system|telnet|trojan|truncate|uname|union|unzip|whoami) [NC]
RewriteRule .* - [F]
# Disable hotlinking of images
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{REQUEST_FILENAME} -f
RewriteCond %{REQUEST_FILENAME} \\.(jpe?g?)$ [NC]
RewriteCond %{HTTP_REFERER} !^https?://([^.]+\\.)?schw\\. [NC]
RewriteRule \\.(jpe?g?)$ - [NC,F]
# Only the following file extensions are allowed
Order Allow,Deny
Deny from all
<FilesMatch "\\.([Jj][Pp][Ee]?[Gg]?)$">
Allow from all
</FilesMatch>
# Block double extensions from being uploaded or accessed, including htshells
<FilesMatch ".*\\.([^.]+)\\.([^.]+)$">
Order Deny,Allow
Deny from all
</FilesMatch>
# Only allow GET and POST HTTP methods
<LimitExcept GET POST>
Deny from all
</LimitExcept>
Thanks again for all your help!