Whoa Thanks a lot for the fast reply and help!
I can't wait to install this hack!

Herb, While evaluating PHP forum software I found the AGORA open source project http://www.araxe.fr/w-agora
with some examples of the forum implemented for use with uploading image attachments. In fact two are use as photo galleries. I've listed the sites
below. Maybe these can give you some ideas.

Two being used as Q&A forums:
http://www.lymanboats.com/agora/w-ag..._qna&expnd=all
http://www.lbsna.org/lymanboard/w-ag...n_Boat_Society
One being used as a news page:
http://www.highlandsofohio.com/agora...3?bn=news_news
And a similar setup being used as a photo gallery:
http://www.lbsna.org/agora/w-agora.php3?bn=lbsna_photo

http://www.Synfibers.com
http://www.cj.synfibers.com
http://www.akulscarpets.com used as photo gallery

Herb
I installed the hack and it works fine, but the remove part gives me a Parse error! on the newthread.php file, and I checked and double checked, and I have no idea why, I thought it was an extra } but it didn't work even then, could you please help me solve this problem?
Thanks again for all your help!

scott - thanks for the links I will have to look those over.. ;)

conan - I am sorry I am not following you.. A parse error could be something as simple as a missing ;

Maybe you can post the portion of code you think is giving you a problem..

To everyone who's currently using this hack:

I suggest you temporarily remove it, as it leaves a very large security problem in your board. I couldn't find a way to contact Herb, but if he'd be so kind as to contact me (ICQ: 16435685) I'll help him develop a resolution for the problem.

Once again, the issue is quite large, and can be used to retrieve anything from your /etc/passwed to your mysql database info.

Stay tuned.

I've notified Herb via email and PM, he should respond shortly. I've shown him what you were able to do and I agree that anyone using this hack should remove it until the security hole is patched.

Well let us know what it is soon enough so we can avoid doing it in another hack.

Are we manipulating showthread to send something else instead of the intended picture?

Well, it's kinda (really kinda) equivalent to taint checking in Perl. It involves the PHP upload feature. It's easily abuseable so we're trying to avoid posting it :)

Herb- I'd say you've got the file types covered with
.JPG and .GIF for now but in the future other small size files allowable would be .txt, .doc, and acrobat files.

I could not ever see any video or music files as they are too large.

something else to think about is limiting max file size
and displaying the file size so a user will know what to expect as far as load time etc. No one likes surprises.

Have you considered some hashing routine to store the attachment files in folders by hashed names as function
of file name ? as the attachments begin to number in thousands that will be important.

Well my hack has an upload feature so why don't you just email me the problem please.