> my site allows to upload images. For that reasons I have created a
> directory which have "drwxrwxrwx"-permission. I.e. everybody can write
> in that directory.

Nice, but who else writes in that directory than the web server user?

> I understand that it is not safe, because everybody
> can upload to this directory some scripts which would destroy my file
> system or store some information. To make things a little bit better I
> put there the following .htaccess file:
> php_flag engine off
> IndexIgnore *

When you move the temp file to the final location, YOU (the webserver)
can give it any name YOU want. The fact that the directory is
world-writeable AND has an .htaccess file should ring a bell: If you
keep the file names, anyone can upload an .htaccess file...

> So it means that php-scripts cannot be executed in this directory.

Given the above, are you sure?

> But
> what about the shell scripts? How could I prevent an execution of the
> shell script in this directory?

By not making them executable. You can chmod the file if it is executable.

> My php script which upload files to the directory takes only files
> which have *.jpg extension. Today I found out that in the directory I
> have a file (called 854.jpg) which is an sub-directory! How did they
> did it? Well I understand, that jpg extension does not guarantee the
> file is an jpg-image, but I did not know that this file can be a
> directory!
>
> The problem is that subdirectory "854.jpg" does not have the above
> mentioned .htaccess file. So the owner of the directory can make there
> whatever it wants. How can I solve this problem?
>
By putting the things that appear in the .htaccess file in the normal
config. There is really no reason for .htaccess files, other than lack
of access to system maintainers.

Furthermore, you can check if it is a directory upon upload.

Good luck!