Many security guides recommend that you store uploaded files in a folder not inside the folder containing your pages that are accessible from the web.
Is this also true for uploaded images? I allow some of my users to upload images that are something like forum avatars. It seems that storing these images outside of the www root would force me to move the files inside of the www root to be viewed. I am not really sure if that is necessary or if this is a best practice here for images like this. I currently store the filename and the file path in a database table.
Any thoughts on this? Can you easily display images that are not in the www/html folder?