How can I securely allow web users to create files?

Question

I'm building a website which allows certain users to write reviews, and I want a small php file to be automatically generated when they do. What's the most secure way to set up accounts/groups/file permissions to allow this? Ideally, I'd like the review writers to be able to change the title in case they make a mistake, which would require php to be able to not only create files and folders, but move and/or remove them, as well. However, that's not an absolute necessity. My test server is running Linux/Apache, the newest versions of everything, and for testing purposes I've temporarily set the owner of the main reviews folder as the server. I'm also open to other suggestions on how to make this happen. I'm not really an IT guy, but I can write shell scripts just fine.

Edit:

Thanks to the selected answer, I was able to come up with a solution. I used this guide (http://www.seomoz.org/ugc/using-mod-rewrite-to-convert-dynamic-urls-to-seo-friendly-urls), and modified it to just load the desired php script with no variables, which I designed to retrieve the information directly from the original URL using $_SERVER['REQUEST_URI']. Here's what my .htaccess file looks like; It sends www.domain.com/reviews/the-review-filepath.php to www.domain.com/reviews/review.php.

RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule !^review\.php$ review.php

It was much easier for me to do it this way because I a lot more about PHP than regular expressions. Thanks to everyone who answered and/or commented. This is much better than the way I was trying to do it before.

Answer 1

Extending from comment:

If you want to get a "clean" url (e.g. /post/123/comment/456) instead of "parameterized" url (e.g. /?post=123&comment=456), you can still use database, and take advantage of mod_rewrite (since you tagged apache).