Yeah, this is the one of the big problems with PHP, and Apache mod_php specifically. You can implement various mitigations (drop an .htaccess into the uploads directory that turns off any script execution?) but the fact that you have to is kinda ridiculous. Pretty much all other web development environments are not based around just running scripts from the same directories where static files are. Heck, Apache’s CGI implementation was better, it only ran code from the /cgi-bin/ subdirectory!