What is the correct way to allow users to upload images to a site? I'm using mod_php so everything is done by apache, not the domains user.
Right now I just chmod 777 the images folder and hope for the best :)
I've been looking at adding an .htaccess file to prevent PHP from running in that folder.
Ideally, you'd chown a folder to the user account running Apache. This might be 'apache' or 'www-data' or something else, depending on your environment. If the folder is chown'd by that user, you'd only need a permission of 700.
You might also want to check the file upload path in your php.ini file. It may upload the file with a unique filename into /tmp/ and then you'd use move_uploaded_file() to move the image to your 'images' folder.
As far as the .htaccess is concerned, you could also just write a simple index.php script that redirects to some other page on the site, like:
So if someone tries to view yourdomain.com/images/ it'll just bounce them back to yourdomain.com
"I'm using mod_php so everything is done by apache, not the domains user."
I'd suggest stopping that right away; it's not healthy, even in a dedicated hosting environment (but is downright deadly if you've got more than one website on the box). suPHP works well enough for the task.
If your heart is set on sticking with mod_php, I would not recommend changing the user of the directory to match that of the webserver; this prevents effective administration of the site by the user who actually owns it. Instead, change the group of the directory to be that of the webserver, and then give that group write permission to the directory.