After recent work with phpBB I found out there are many exploits for hackers with embeding PHP in gif or jpg files.
So CHMOD to 766 will not protect you fully.
Best way is to use htaccess pasword protected directories for storing user uploaded files.
Depending on a server configuration one can change mod to 777 on htaccess password protected dir, but other times you cannot and can only write to a file if a file exists.
(So unless you are 777 you cannot write to a new file.)
To get around writing to a new file problem store the uploaded files in a sub directory of root not in public_html
Then you will be fully protected, because one cannot access that directory from www
Another nice trick, is to change mod in PHP when you write to a file to public and change the mod back to global after finished writting.
This is also handy, write to a temp file then flush it with heloo!
Okay Foo to you all.