i store the original image name in the database as well as the scrambled ( md5 + salted ) version. Then to display an image on the site i send the original filename to a script that retreives the scrambled filename from the database, then sends the headers and streams the image to the browser. From the site visitor's perspective, they never see the scrambled filename and therefore can't reference any hacker laced files they've uploaded.
This should probably be TRUE (without the quotes). The docs say it's a boolean so if you actually submit a string (even if it's 'FALSE') it will still get evaluated to true. You probably didn't have any issues because you're going for true anyway.