Someone may make a script to auto fill the post and upload tons of images inside my directory.

If that's a risk, they can also write a script that will click "submit final" it doesn't matter where the images are stored - sooner or later you *will* run out of disk space. If you allow just everybody to upload limitless amounts of data you're opening yourself up to this problem anyway.

As for the tmp directory, I think I'd write a cron-script that deletes every file in the tmp folder with a ctime > 1 hour or so (or if you don't have access to cron, you might do that everytime your upload script is run)

Update: in reference to the first paragraph, I guess it would be a good idea to have password-protected user accounts, and only allow X amount of upload data per day per account. You might also want to check the amount of free disk-space and prohibit uploading before you run out of space completely.