Attachments not in DB

[ethank]

Couldn't you store the attachments in a non HTTP served directory and have the attachment.php page load it up from there?

Ethan

[auto]

yea, you should be able to - great point ethan

I REALLY need this hack as soon as possible, my attachments table is over 450 megs

[Jawelin]

Is there any FAST way to throw out the files from the db and store them to any dir on the same server ??
From php, of course...

Thanks

Bye

[Scott MacVicar]

I've already started work on this hack after some nameless admin here suggested to someone i would be able to do it thanks heh

I've done the modifications to the functions that deal with the upload but i need to make more adjustments because all attachments are uploaded to a dir below root and they have a funky random name to stop people trying to execute them, so randomstring.file is what i've been calling them and then the attachment.php file opens them sends the header and then sends the file.

Hopefully I'll be able to get this finished soon.

[Jawelin]

GREAT!!

Probably should the following rows in attachment.php do the job if configured in settings ...

PHP Code:

header("Cache-control: max-age=31536000");
header("Expires: " . gmdate("D, d M Y H:i:s",time()+31536000) . "GMT");
header("Last-Modified: " . gmdate("D, d M Y H:i:s",$attachmentinfo[dateline]) . "GMT");
header("Content-disposition:$attachment filename=$attachmentinfo[filename]");
header("Content-Length: ".strlen($attachmentinfo[filedata]));
$extension=strtolower(substr(strrchr($attachmentinfo[filename],"."),1)); 


I.e. to store (echo $attachmentinfo[filedata];) the same stream instead of into DB to a configurable path.... and modify the url to the path for example in a new field of the attachment table...



Yeah. My problem was exactly: how to write the bin output to the server ?

I also tried to follow the same path of Kier's hack about avatars (look here ), and I think another way could be to intercept the file, even with the random name that some php SHOULD know, when it's still on the server in the TMP directory...
Move it from there to the requested dir and bypass all the attachment.php job but the url creation linking to that directory.

For security reasons, anyway, I think should be better to make ONLY an AdminCP explicit feature to save the attachment file on the server, remove it from the DB and relink the post to new location. Nothing else...
(an automated url-location of executable files could be dangerous....)

What do you (all of you) think about ?

Thanks a lot for your work.

Bye

[Jawelin]

What about creating subdirs on a download dir of the server by random md5 hashes (tailed to 8 chars, better....) and keep the original filename ?
Like for example Java SDK is downloadable from the support site.

This way, any user should pass through the attachment php and couldn't be able to download the file directly as he doesn't know the full path ... !?!?

Thanks

[Scott MacVicar]

thats almost what i've done
new Attachment table structure
attachmentid
userid
dateline
filename
visible
data
hash

when you upload a file it creates a random 8 character string then hashes it to 32, the file then becomes HASH.file within the attachments folder. I've been running the folder under the document root just to be sure.

I'll be lookin for some beta testers.

I'll also look into making a file to remove files from database to folder at a later date.

[Jawelin]

Quote:

Originally posted by PPN
thats almost what i've done
[...]
I'll be lookin for some beta testers.

I'll also look into making a file to remove files from database to folder at a later date.

HERE I'M !
I'd like a lot also this last mentionned option to get out attachments from DB. Do you think that flow could be reversed Admin-uploading the file into ?

LMK if I could help you someway.
Thnx

P.S.: I think a 32-char dir shoul be too long for some kind of servers. It isn't an high-security matter, so an 8-char hash would be nicer. For example it could be, instead of a random number, also an algo of the filename... It's enough don't tell it to anyone !

[Scott MacVicar]

I'm positive all operating systems support up to a 32character filename, the hash is gonna be the name of the actualy physical file.

say the hash is
bc28af6f750004729474ccbb403bd0ee

and i upload earl.gif (my avatar )

the file is moved from the temp location it is uploaded to the folder specified in the admin panel and the file is called bc28af6f750004729474ccbb403bd0ee.file instead of earl.gif, this prevents people from trying to guess the location and the fact that it has a different extension should stop people from trying to execute it, even if they could find it.

[Jawelin]

Ok, but when the file is stored w/ this name in a server dir and the browser accesses it to download, who actually changes its name to save locally with the right one ?
Thnx