The best way to avoid /tmp upload is mount tmp on its own partition and setup noexec mount flag. Also make sure you run susexe for PHP.

Ultimate solution is install mod_security for Apache and chroot jail (it may not not work with CP such as Plesk)

Hope this helps

__________________
May the force with you!