I recently wrote a file upload/download utility in PHP that creates directories, uploads and downloads files, and soon will delete files. To be able to create the directories, I had to change the permissions on the folder that the directories are created in.

A lot of this is new to me, and I don't know much about security, but am concerned about it.

Should the folder that these folders are created in and files are uploaded into be outside of the web directory? What are the minimal permissions that I need on the directory to allow users to do this (a chmod code would be nice :) )

The application isn't supercritical (but the deadline date was) so now that I have time I just want to make sure all my bases are covered.

Also, if anyone knows of any good sites to read about this stuff (application end, not server end, for obvious reasons) I would love to know about them.

Thanks!
~Sarah

Here ya go.. when you're done with these, I have more :) They don't deal with folder permissions, but it's all stuff that needs to be considered when writing code

http://www.cgisecurity.com/lib/studyinscarlet.txt
http://www.cert.org/tech_tips/cgi_metacharacters.html
http://www.wiretrip.net/rfp/txt/rfp2101.txt
http://www.linuxfocus.org/English/November2001/article203.meta.shtml

Some aren't PHP specific but they still make for a good read :)