There is an interesting article over at sans.org about a common Apache misconception. In Apache you usually have a configuration directive like this:
LoadModule php4_module modules/libphp4.so
AddType application/x-httpd-php .php
The misconception is about the .php part. It does not mean that it handles all files ending with .php as PHP code. The .php part can be anywhere in the file name, as in: file.php.txt. The impact of this is that if you have this module enabled and someone uploads a file.php.txt, Apache will execute the PHP code in it. Of course this only happens when the upload directory is in the DocumentRoot of Apache.
The original article has a checklist about how to upload files.
