Image Display from non web root folder

I have been reading up on file upload security and the guidance (see here: http://www.scanit.be/uploads/php-file-upload.pdf but also it appears elsewhere) is to do the following:
1. Keep uploaded files in a folder NOT accessible by the browser - i.e. out of your webroot.
2. Change the file names so that they are not the same as the uploaded file and not easily guessed

In my script I check that it is an image file (as that is what I am uploading) and I check sizes and the like but that is not enough. I do number 2 above as I have to keep them in a database attached to the members' profiles.

However, I am having some difficulty sorting out how exactly to do number 1.

When the image is uploaded it is stored in the file area, but when I want to display it, I don't just want to send the raw image. I want it to be resized to thumbnail and to also be part of a lightbox object so that when clicked it is accessible. It is all currently working with the directory within the webroot, but I can't get it to work if the directory is outside the webroot.

Presumably, this is because the browser cannot find the location (not in webroot) and so I can't use html to tell the browser how to treat it. So, I could use PHP to send the stream (imagejpeg for eg) to the browser, but I also want to be able to pass the resize parameters and the lightbox links.

Now, I could always hold copies of the images as thumbnails and remove the first issue, but I can't see quite how I can wrap the html around an image stream from PHP.

I thought about using a temporary file in the webroot - so picking it up from outside, creating a temp in a webroot folder and then using that for the html. It seems a lot of messing around.

So, first question is - is this necessary? Is the security chap correct here? Should the files be stored outside the webroot for security?

If so, then how best may I achieve the equivalent of the following code which uses a file in the webroot.

Many Thanks - and I hope I've explained that clearly!

For info my web root is under /srv/public/html/domain.com - which maps to domain.com in the browser. I currently have the files under domain.com/images - I was intending to put them under /var/www/images - /var not being accessible by the browser.

1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:

while ($img = mysql_fetch_array($gallery))                      // Get the images
        {
            $cap=stripslashes($img['caption']);                               // Image caption for lightbox
            $ttl=str_replace("'","",$img['title']);                                 // Gallery title to group images
            $imp="images/".$img['path'];                                         // image for html
            $is = img_resize("images/".$img['path'],90);                // make thumbnail
            $img ="<img src ='images/".$img['path']."'".$is.">";      // construct html for output
            $lightbox=" rel='lightbox[gal]' title='".$cap."'";              // lightbox parameters
            echo "<td width='25%'>";
            echo "<a href=\"$imp\" rel=\"lightbox[$ttl]\" title=\"$cap\">".$img."</a></td>";  // o/p to brw
            $nl++;                                                                         // four images per line
            if ($nl == 4) { echo "</tr><tr>"; }
        }