Thanks for the nice words! Yes, as a general security rule you don't want user-uploaded files in the web directory. It would make sense to create a new folder for each user and store their uploads in their own directory.
Some OSes have limits on the number of files or folders than can be in a directory, so that's a problem you'll need to worry about should you get to a high level.
To show, say, an image in the browser, you'd set the HTML src to something like image.php?id=X. The image.php script would identify the image to be served and output it. I forget if there's an example of that in this particular book but it's not that complicated.