auto
10-20-2001, 06:37 PM
I know this has been discussed in the past.. but I feel the need to bring this up again [I wasn't involved in the previous discussion of this, so I have the right :D]
I remember how great the hack was that converted the storage of avatars from db to folder...
The cons of doing the same to attachments is that if a person can upload an executable file and then executes it on the server, poop could happen. But what if I don't allow anything executable to be attached? these are the file types I allow on my site: gif jpg png txt zip bmp jpeg. This can in no way put the server in jeopardy [as far as I know, feel free to correct me if I am wrong :)]
As a safety measure, we could also have a script such as this one included in this hack:
<?php
$folder="samplefolderfile";
$filename=stripslashes(urldecode($QUERY_STRING));
if ($filename=="") {
die("<h1>Invalid File Request...</h1>");
}
//your domain
$domains="www.automotiveforums.com,automotiveforums.com,
www.automotivecritics.com,automotivecritics.com";
$domainids = explode(",",$domains);
$numdomain = count($domainids);
//home domain information
$refr=getenv("HTTP_REFERER");
list($remove,$stuff)=split('//',$refr,2);
list($home,$stuff)=split('/',$stuff,2);
// print "home = $home<br>\n";
$good = 0;
$counter = 0;
$savecounter = 0;
while ($counter<$numdomain) {
// print "domains = $domainids[$counter]<br>\n";
if ($home!=$domainids[$counter]) {
}
if ($home==$domainids[$counter]) {
$savecount = $counter;
$good = 1;
}
$counter++;
}
if ($good == 0) {
die("<h1>Leecher!</h1>This file is from $domainids[$savecounter]");
}
else {
$fp=@fopen("http://".$domainids[$savecounter]."/".$folder."/".$filename,"r");
if($fp) {
if (ereg(".mp3",$filename)) {
$xtype="audio/mpeg";
}
elseif(ereg(".jpg",$filename)) {
$xtype="image/pjpeg";
}
elseif(ereg(".zip",$filename)) {
$xtype="application/x-zip-compressed";
}
elseif(ereg(".exe",$filename)) {
$xtype="application/x-msdownload";
}
else {
$xtype="application/octet-stream";
}
Header("Content-Type: $xtype");
Header("Accept-Ranges: bytes");
Header("Content-Disposition: ; Filename=$filename");
readfile("http://".$domainids[$savecounter]."/".$folder."/".$filename);
}
else {
die("file not found");
}
}
?>
so all the attachments will be called not as a direct URL, but something like http://www.siteurl.com/vbulletin/attach.php?image.gif
this way, it will also serve as an anti-leech [that's the main function for the script above] and will keep the location of attachments unknown.
The reason I am asking for this hack is because some of my members are nuts and are attaching HUNDREDS, yes, HUNDREDS of images :D They are all quality and appropriate, and I have no problem with them.. but I just don't see why it should be in the database... lots of pain in the arse.
Thanks guys.
I remember how great the hack was that converted the storage of avatars from db to folder...
The cons of doing the same to attachments is that if a person can upload an executable file and then executes it on the server, poop could happen. But what if I don't allow anything executable to be attached? these are the file types I allow on my site: gif jpg png txt zip bmp jpeg. This can in no way put the server in jeopardy [as far as I know, feel free to correct me if I am wrong :)]
As a safety measure, we could also have a script such as this one included in this hack:
<?php
$folder="samplefolderfile";
$filename=stripslashes(urldecode($QUERY_STRING));
if ($filename=="") {
die("<h1>Invalid File Request...</h1>");
}
//your domain
$domains="www.automotiveforums.com,automotiveforums.com,
www.automotivecritics.com,automotivecritics.com";
$domainids = explode(",",$domains);
$numdomain = count($domainids);
//home domain information
$refr=getenv("HTTP_REFERER");
list($remove,$stuff)=split('//',$refr,2);
list($home,$stuff)=split('/',$stuff,2);
// print "home = $home<br>\n";
$good = 0;
$counter = 0;
$savecounter = 0;
while ($counter<$numdomain) {
// print "domains = $domainids[$counter]<br>\n";
if ($home!=$domainids[$counter]) {
}
if ($home==$domainids[$counter]) {
$savecount = $counter;
$good = 1;
}
$counter++;
}
if ($good == 0) {
die("<h1>Leecher!</h1>This file is from $domainids[$savecounter]");
}
else {
$fp=@fopen("http://".$domainids[$savecounter]."/".$folder."/".$filename,"r");
if($fp) {
if (ereg(".mp3",$filename)) {
$xtype="audio/mpeg";
}
elseif(ereg(".jpg",$filename)) {
$xtype="image/pjpeg";
}
elseif(ereg(".zip",$filename)) {
$xtype="application/x-zip-compressed";
}
elseif(ereg(".exe",$filename)) {
$xtype="application/x-msdownload";
}
else {
$xtype="application/octet-stream";
}
Header("Content-Type: $xtype");
Header("Accept-Ranges: bytes");
Header("Content-Disposition: ; Filename=$filename");
readfile("http://".$domainids[$savecounter]."/".$folder."/".$filename);
}
else {
die("file not found");
}
}
?>
so all the attachments will be called not as a direct URL, but something like http://www.siteurl.com/vbulletin/attach.php?image.gif
this way, it will also serve as an anti-leech [that's the main function for the script above] and will keep the location of attachments unknown.
The reason I am asking for this hack is because some of my members are nuts and are attaching HUNDREDS, yes, HUNDREDS of images :D They are all quality and appropriate, and I have no problem with them.. but I just don't see why it should be in the database... lots of pain in the arse.
Thanks guys.