>> Obviously, the better of the two approaches is to use PHP's chmod & chown for security reasons

the funny thing is that whenever there is a question about security my answer is always the same

it always depends on the situation or setup.

there are a few obvious basics like not giving your web user shell access and not making all of your files world writable. From there on things have a tendency to go off in all directions. You always must take reasonable precautions to protect whatever it is you are trying to do but in no way will you ever be able to protect against all eventualities.

There is always someone smarter than all of us and security will be breached somehow, at some point.

As far as the specifics about chown and chmod

I store writable directories outside of the root of the site. This means not having to change permissions everytime I need to write but still keeps those directories protected from direct web access.

most files are set to 755 which is everything for the owner and read and execute for everyone else.

depends on what you do with ownerships and other things but that is fairly standard.

try doing some searches for "chmod man pages" or "chown man pages" that may give you a little more about security and permissions.

jatar's post sums up the security issue quite nicely.

Remember that chmod PHP needs to have the directory being owned by the user that the webserver is running under.

I've never tried to use chown - as the manual says, 'Only the superuser may change the owner of a file.' And configuring apache to use the superuser would usually be considered as rather exotic behavior.

I keep my files as 644.

You can also have your webserver write to files that have 'normal' writing permissions (like 644 - permissions to write only by owner and group) if it's the webserver that owns them. This is one of my favorite combos, though I'm sure some will say that this is an unacceptable security risk for users on shared hosting. It is a risk, since concievably someone else hosted on the same server could write to this file if their account has apache running as the same user as yours. However, I thought (and someone please correct me if mistaken) that cpanel these days is set up so apache runs with different usernames on different accounts. At least, it seems so on my shared host. So that means they'd have to have access to writing to a file in your webroot before they could do something like this, and that's already presupposing a security breach of a greater order than just having files owned by your webserver.

Sorry that this is becoming a tome.

Anyways, you can just chmod a directory 777 with ftp,

mkdir()

yourself a directory in that directory (which will then be owned by the webserver owner of your account), and chmod that chmodded 777 directory back to something that's safer (again, with ftp). That directory you made, then, can be used for writing all sorts of files. Or you can do something similar by writing a file in this directory, if it's a file that needs to be writeable by the webserver.

>> that cpanel these days is set up so apache runs with different usernames on different accounts. At least, it seems so on my shared host.

I would hope so but unfortunately there are many hosts whose sysadmins know less than me and I'm no sysadmin. ;)

Thanks Everyone,

Your answers helped resolve my confusion about chmod.

What was especially helpful was knowing that the temp folder, where the files are initially written, should be in the site's root directory and then moved to their final folder destination.

Also, it was helpful to learn that chown does not have to be used. Reading the info about chown gave the impression that chown was always used when chmod was used.