However, if it's important to disallow random access to the uploaded file, you really need to put access controls on it, and store it outside of the HTTP root. Obscuring the filename isn't enough.