If you watch your code (mysql_escape_string(), htmlentities(), etc) you should be OK. But dont forget to check file types in your upload script and make it upload to a directory that is outside of $_SERVER['DOCUMENT_ROOT'], check it, then move to normal avatar directory, that way, if someone does manage to upload something malicious it will at least be checked before it gets moved to a publicly accessable directory.