I have a form that allows users to upload only .jpg files. Somehow a hacker was able to upload a php file which in turn he/she used to send out spam mail. It later occured to me that the hacker didn't even use the form because at the time there was no way for him/her to log in and access that page. Of course, the directories where I put the images have 777 permission.
Can a hacker remotely upload files to a 777 folder?
Is there a way to allow users to upload images without 777 permissions?