I want to make sure that I understand your first comment correctly. Were you stating that upon file upload, the filename should be encrypted so that the malicious user would not know the name of the file stored on the server and thus not be able to execute the file directly?
Pretty much... more along the lines of that users should only interact with specified UI. Hashing filenames abstracts the media (files) from the user, leaving the application to deal with managing said media.
E.g. If Facebook were to store profile pictures as the users' name, people would be able to access images based on altering a URL. The HTTP protocol (most likely) wont know if the current user entering the URL has "permissions" or "is a friend of" the picture it is requesting from the server...
However, if it's important to disallow random access to the uploaded file, you really need to put access controls on it, and store it outside of the HTTP root. Obscuring the filename isn't enough.
