example.com/blog
example.com/forums

versus

blog.example.com
forums.example.com

I would prefer to use the first example. I find that a cleaner method for an end user to understand. However, that puts the blog and forums in an area in which I have 100% custom code. I am dropping forums and a blog that are going to eventually have a security hole. If someone gets into blog or forums, it would not take a lot to ../ up a directory, and use php to read into my other files.

I would like to put the blog and forums elsewhere, in this case, on the same machine, but maybe down the road, on some other totally different machine.

Is my logic sound in that putting it in a different Apache directory block, with php's open_basedir set to that new directory, those would be much harder to get into my source files in example.com/ ?

If so, can mod_rewrite do what I am going to need this to do, which is going to be to essentially take all incoming requests for /blog/whatever-the-rest-is and somehow change that off to a blog.example.com/whatever-the-rest-is. I would still like blog.example.com to be completely inaccessible though. The url the user sees would never change, this is invisible to the user.

I do not think I want to use a proxy in Apache to do this, as does that not mean my stats would be totally useless, as they all appear to come from the same location?

Suggestions?