attachments stored in a folder rather than db

[auto]

I know this has been discussed in the past.. but I feel the need to bring this up again [I wasn't involved in the previous discussion of this, so I have the right ]

I remember how great the hack was that converted the storage of avatars from db to folder...

The cons of doing the same to attachments is that if a person can upload an executable file and then executes it on the server, poop could happen. But what if I don't allow anything executable to be attached? these are the file types I allow on my site: gif jpg png txt zip bmp jpeg. This can in no way put the server in jeopardy [as far as I know, feel free to correct me if I am wrong ]
As a safety measure, we could also have a script such as this one included in this hack:

PHP Code:

 <?php

$folder="samplefolderfile";
$filename=stripslashes(urldecode($QUERY_STRING));

if ($filename=="") {
  die("<h1>Invalid File Request...</h1>");
}

//your domain
$domains="www.automotiveforums.com,automotiveforums.com,
            www.automotivecritics.com,automotivecritics.com";

$domainids = explode(",",$domains);
$numdomain = count($domainids);

//home domain information
$refr=getenv("HTTP_REFERER");
list($remove,$stuff)=split('//',$refr,2);
list($home,$stuff)=split('/',$stuff,2);

 // print "home = $home<br>\n";

$good = 0;
$counter = 0;
$savecounter = 0;

while ($counter<$numdomain) {

 // print "domains = $domainids[$counter]<br>\n";

  if ($home!=$domainids[$counter]) {

  }
  if ($home==$domainids[$counter]) {
     $savecount = $counter;
     $good = 1;
  }
  $counter++;
}

if ($good == 0) {
  die("<h1>Leecher!</h1>This file is from $domainids[$savecounter]");
}
else {

  $fp=@fopen("http://".$domainids[$savecounter]."/".$folder."/".$filename,"r");

     if($fp) {
        if (ereg(".mp3",$filename)) {
          $xtype="audio/mpeg";
        }
        elseif(ereg(".jpg",$filename)) {
          $xtype="image/pjpeg";
        }
        elseif(ereg(".zip",$filename)) {
          $xtype="application/x-zip-compressed";
        }
        elseif(ereg(".exe",$filename)) {
          $xtype="application/x-msdownload";
        }
        else {
          $xtype="application/octet-stream";
        }

        Header("Content-Type: $xtype");
        Header("Accept-Ranges: bytes");
        Header("Content-Disposition: ; Filename=$filename");
        readfile("http://".$domainids[$savecounter]."/".$folder."/".$filename);
     }
     else {
        die("file not found");
     }
}

?>

so all the attachments will be called not as a direct URL, but something like http://www.siteurl.com/vbulletin/attach.php?image.gif
this way, it will also serve as an anti-leech [that's the main function for the script above] and will keep the location of attachments unknown.


The reason I am asking for this hack is because some of my members are nuts and are attaching HUNDREDS, yes, HUNDREDS of images They are all quality and appropriate, and I have no problem with them.. but I just don't see why it should be in the database... lots of pain in the arse.

Thanks guys.