Make sure that the web server can write to the incoming/ dir:

  sudo chgrp www-data incoming/
  sudo chmod 775 incoming/

Add some access control to the directory:

  echo "AuthType Basic" >> .htaccess
  echo "AuthName \"Upload\"" >> .htaccess
  echo "AuthUserFile \"$PWD/.htpasswd\"" >> .htaccess
  echo "Require valid-user" >> .htaccess
  htpasswd .htpasswd upload