I only allow certain extensions for my upload script (rar, zip, exe, dll, ini). But... someone decided to upload something called "blah.php.ini", and promptly owned my entire website.

If I only allow rar, zip, and exe, will that solve my problem? Why is it executing code even though the ini extension is on the end? Is there anything I can do with htaccess?

Only allowing certain file names may not always fix the problem (But is a good start), take a look at php.net's manual on this ( http://uk.php.net/manual/en/features.file-upload.php ).

Here are a few tips:
Make sure you confirm it is what they say (Can be done using $_FILES['userfile']['type']).

Encode the file (base64 will do) and store it somewhere where it cannot be accessed via http (I know about these types of scripts, it's a lot harder for them to work if you hide the file/make it useless).

If something does go wrong code wise (say a file was uploaded but is not there), note the IP and block it temporally, and alert a server guy.

It's most likely they done a using that blah.php.ini file, but there was an executor file also. For example say I uploaded a nasty file, then had another file run it.

Hope this helps (Sorry if it's a bit confusing, my English is currently not too good)

Yeah, guess I'll have to do more research.

A good technique is to allow only certain users to upload, like only let users who have earned it to use it.

Also you can prevent uploaded files from being accessed by uploading from the domain root before the public html root