i have a mime_email function that resets the $HTTP_POST_FILES array and attaches all the files.
i don't have this on a production server yet because i'm not sure if a security hole exists.
if there were no other files posted to a page, could a user with a properly crafted URL or page set the $HTTP_POST_FILES array with whatever data they wanted?
like $HTTP_POST_FILES[file][tmp_name] = path/to/passwd/file
or something as destructive...
the function is very handy, because then whenever i want to add a file to a program that uses the email, i just have to add a <input type='file'> and it works automatically.
