755 will be fine. You can get away with 777 as long as it's out of the web scope and you take general security precautions against intrusive code (presumably the 777 is so that the webserver can read/write the file. If you don't filter the input from the webserver you can allow grave damage to your site by evil-doers).

Hi VectorJ

ok i'll stop worrying. its a mail script and i have nightmares about others hijacking it. the form that accesses the script sits in a password protected DIR so i should be ok. "better safe than sorry"

Kind Regards
/Hafnius

The way formmail scripts are hijacked really has nothing to do with the permissions setting. The location of your form that accesses it has nothing to do with it either, however if the formmail script itself is in a auth only directory, that will help.

Formmail scripts are subject to hijacking if they accept input from an HTML form and that input includes the email address of the person(s) to which it sends email. So, if in your HTML form, you specify the "To:" for the email, it is subject to hijacking.

You can overcome this by editing the formmail script to specify a list of acceptable email addresses. Then, have the script check the "To:" against this list. If there are any outgoing emails where the email address is not on this list, have the script die.