File Uploads Best Practices

Hi All,
I have a PHP page which I use for instructors of courses to upload student rosters, etc. The PHP operation is pretty simple. it renames the file to a standard format, inserts a random string of numbers to make it hard to guess and inserts the path in the database.
Question is what is the recommended best practice for this.
Should Files be placed in the same directory as the instructor control panel PHP files in an uploads folder? Or should they be stored outside the web directory? I don’t want different instructors viewing other instructors credentials and rosters?
Someone told me just put a blank index file so they cant view the /uploads folder but that seems like a bad work around.

If the images are stored outside the public_html folder how to you include them for viewing later without showing the user the path?

You can store the files outside of the web root and have php serve the files as attachments in the browser via a script. So you could log which users are able to access which files and then have your script check those permissions before sending them out to the browser. It’s a far better way than having the files publicly accessible.

*Edit: basically, something similar to this, but you’d just add some permissions checking logic in there before you output the file to the browser: http://davidwalsh.name/php-force-download