and it has become apparent that actually serving the images is where
most of the risk is for rogue PHP files that could compromise the
server

This only happens if two conditions are met:

• You allow uploading of non-image files
• Downloading is done through a direct link

Thwart one of these and the danger disappears. Of course closing both is better.

The database solution aims at disrupting condition #2, but you can also check, when uploading the image, that it is indeed an image using the getImageSize() function. Or trying to load the image with imageCreateFromJPEG() or other appropriate function.

If the object loaded is not an image, just display “Sorry, image is corrupt”. This both protects your users against uploading broken images and you against someone uploading a rogue PHP file (or maybe a copyrighted video or cracked executable or…).

UPDATE: you can also obfuscate an already existing upload-and-download facility:

Say that currently you upload the user image, assign to it a unique ID, save it as ./images/UNIQUEID.jpg, and serve to the user http://www.yoursite.com/images/UNIQUEID.jpg as URL.

• You apply a .htaccess so that access to ./images/whatever is redirected to ./images/index.php?ID=whatever
• You create a index.php script that takes “whatever”, extracts the image ID, and outputs the image.

All old URLs will continue to work and appear to directly load the image, but what they’re actually doing is invoke a PHP script that checks for the image and sends it along as a bytestream, without interpreting.

You’ll want to be setting ETag to the ID, Last-Modified to file_mtime() of the image file, and Content-Length to the file size. Also, you may want to check the incoming header If-Modified-Since and If-None-Match: if the date of the file corresponds to IMS or the IFN value corresponds to the ID, you can send a HTTP/304 Not Modified answer instead of the image, saving considerable bandwidth.