Directory that apache can write to from PHP but will not serve files from
Upload your files outside the Apache DocumentRoot.
I.E.
DocumentRoot /var/www/public/(where your php files are)
And upload in /var/www/uploads/
Yours is hardly a new problem -- numerous people (yours truly included) have at some point found their "upload" directories used by various file-traders... Fortunately, the solution is simple...
You can make Unix (and, I'm sure, Windows too) files and directories writable for a user or a group, but not readable. It is sometimes called "negative permissions", and some misguided individuals (and the scripts they create) frown at such settings, but there is nothing wrong with them.
For example, here is an actual file from my server. I ("mi") own it, and the group "www" (which httpd is running under) can write to it. But it can not read from it. All other legitimate users on the system can read it (which you may or may not want for your setup):
-rw--w-r-- 1 mi www .... /home/mi/public_html/.../download.logThe octal mode (for use with chmod) for the above settings is 0624. You can alter it to suit your needs. For example, if no other user on the system should be able to access the file at all, you'd use 0620...
You can also play with Apache's permission-settings to prevent serving from the directory, but that's far less straightforward than Unix file-system permissions. It will also mean additional work should you ever switch from Apache to a different web-server, or move from running PHP inside Apache to an application server, or whatever...