There are two ways to prevent execution of any (malicious) scripts uploaded to by users.
Method one – like described in this post.
Method two – add the below code to .htaccess file of the directory that needs to be protected.
RemoveHandler .cgi .php .php3 .php4 .php5 .phtml .pl .py .pyc .pyo .sh .html .shtml .jsp
If it doesn’t work for PHP scripts on servers where suPHP is enabled, then see this post