PHP: tcpdf security considerations of cache folder with write permission

I have installed tcpdf on my web server and use it to generate pdf invoices. It has a cache folder and my web server user group www-data can create and delete files.

Could a hacker

a) create files in that folder and

b) execute them as php?

Should I move the cache folder outside of the www开发者_JS百科 directory? I tried to cd into the folder but get a permission error with my own username, so I was wondering if that step is necessary.

If you have not made any changes to your user groups a www-data group is only used for logging purposes and is not able to accessed by the browser. The data user will be able to create but it should not be deleting anything. But as for worrying about hackers accessing your site as long as you have not changed any permissions for this user No.