Security of changing permissions of file on server

I have a PHP file which edits an XML file, both on the same web-server. So I need to chmod 666 the XML file. Howeve开发者_如何学Cr i've seen some warnings about this being a security risk due to the granted write permissions.

I only care about whether remote users can edit my XML file, am I correct in thinking this is not possible without being local?

You could set them up a group and set a group permission for the file and give that file the group permission and all those users of that group can edit that file. This way, only members of the group can edit and not all public people.

Who creates the XML file in the first place? If you create it directly via PHP, you do not need to set such permissions.

If you are on shared hosting, others might be able to modify the XML, depending on the server's configuration.

The security risk depends on what you do with the data, do you eval it, do you call functions according to content in the XML? Do you just output something without escaping? Do you store sensitive information in the XML?

I'm not sure what you mean by "remote users". Any other user that is logged on, read system user, can modify the file. So anyone that is connected via SSH or something could change it. If it's a virtual server however, it's a different matter.