[eluser]jedd[/eluser]
[quote author="Jondolar" date="1246527391"][quote author="jedd" date="1246511219"][quote author="Jondolar" date="1246503943"] You must make your directory world writable ( or writable to whatever user apache is running under) [/quote]
These are substantially different things, and to clarify - you do not need to make a directory world-writable in order to open a file for writing.
[/quote]
Jedd, your directory must be set to 777 if you want to create new files, as the op stated.[/quote]
I can't find where the op asserted this.
I stand by my original claim (above) but if you prefer I'll suffix the previously assumed qualifier: '... if you are on a non-broken system.'
Quote:On many, if not most hosts you must set your files to 777 to make them writable.
Your poor experience at choosing SP's aside, this is still not true - even though you have said it twice.
If you want to make a file writable, it's the w (or 2nd) bit. World-writable for a file would be 666 (rw-rw-rw-). Setting the 1-bit (x) is augmenting an already questionable security policy, as it opens you up to yet further exploits.
Aside: if you are intending to continue using these kinds of hosting providers, you should consider the sticky bit for your directories - it will give you a slight improvement in security (though it's very much in the category of deck-chair rearrangement).
Quote:Hosts that are running SUPHP or PHP as a CGI don't have that requirement but I don't believe that is the majority of the hosts.
suphp (and variants) are but one way of achieving a secure hosting environment. Even a cheap, nasty and age-old fakeroot approach resolves this problem - and I remember buying one of these for about $30/year ten years ago - and they were
Australian dollars!
I can't believe that in 2009 anyone would consider a hosting environment that was so poorly managed that it let any other client modify your files (and look at your source, and consequently look at your database contents).
Virtualisation is
very cheap these days - and not solely in terms of cash (though of course it's free in that sense too) but in terms of resources (CPU/memory/disk) and management software to wrap around it.
I'd suggest that if you are stuck on a host that doesn't understand, let alone respect your information security, that you spend the extra dollar and get one of those $2/month services that are run by people who do.