Attachments Not in Database

This is a hack which allows you to save the attachments as files and not within the database. The main problem with this was the fact that it posed certain security issues, these have been tackled by doing the following

• Placing the folder below document root
• Using random hashes to name the file
• Changing the file extension to .file
• Never divulging the path to the file

This is a beta hack, it has been tested on a development board. I have had insufficent time to fully complete the attachment importer, this removes the files from the database and creates them as physical files in the attachment folder. I will post this as soon as possible.

Looking forward to your feedback.

Scott

To install this hack upload this file to the admin directory and then view it in your browser.

All the changes that Jawelin suggested have been applied, thanks man

[Jawelin]

Quote:

Originally posted by PPN
Jawelin: I have to work out a simple way to do that as its a list of attachment id's, i'm sure i'd have to explode the variable and then do a foreach loop. Will look into this in a bit and then i'll look into the mistake with the hash

PPN, sorry for this reminder, but I'm in trouble with half this hack installed (just the modifications to the DB) and absolutely need to make the tabledump lighter before upgrading to v2.2.2 ...
So, I'm here again to ask to discuss about the unsolved problems.

Sorry again. Hope you could understand.
Thanks.

[Scott MacVicar]

I've been busy with school work and i'll look into it in about 2 hours I have some stuff I need to finish before I can check it over. I've also just changed to a new system so moving the files has taken a while too.

Will post a finish to this hack tonight and then get it moved into the full releases section.

[Scott MacVicar]

sorted the problem with an extra .file being appended, this was caused by a problem when the file was created, I recommend apply the getupload function again and the other modification to functions.php which was added to remove the attachments when a thread was deleted.

[Jawelin]

Thanks a lot.
Such a fast and positive ack should make me mind my advice wasn't boring.
I'll full reapply the entire hack and still minded trying to create an offline importer/exporter to follow the VB settings.
If pleased, will let you know.

Hope see u soon in FullReleases Area.
Thanks.

[Jawelin]

First question: you suggest an attachment directory below the document root, like '/home/username/attachments'.
This way, it's outside of the public_html folder, so files can't be accessed and executed via web.
- Does the attachment.php access them without problem ?
- This way isn't necessary yet to change the extension and the nature of the file, is it ?

Thanks again
Bye

[Scott MacVicar]

attachment.php is modified to open the file then read the contents so it doesn't have a problem with files below or above document root you could even place it in a directory in the root of the drive as long as php have permission to read and write to that direcotry.

Why would you want to change the extension of the file? If you do then it could become executable, its simplier to name it .file as then it wouldn't be executed

[Jawelin]

No problem about appending one (or two?) '.file' as extension, even to a random hash to make the filename unpredictable.
I would prefer - and think to modify the hack this way - append all these diversions to the true filename; this way, browsing the dir via ftp or telnet or whatever, I'll suddendly recognize the file and have the perception of what it is...
That's all ....
My need, of course. It shouldn't be too difficult to add the truename to the hash in 3-4 points, I think.
I would it become something like : "filename.ext.hash.file"
Almost unpredictable, bust still recognizable...

Thanks
Bye

[Scott MacVicar]

oh by ftp / telnet i have my own attachment browser in the admin panel

you can get all attachments by users or forums and it lists the attachments and then you can view or download or edit etc, its a tool i found that i use alot.

[Jawelin]

Is the browseatt.php hack ? :supwink:
Otherwise, name and location, please!!!

Thnx

[Scott MacVicar]

no its something that i wrote it my extensive spare time for someone who paid me for it and i simply use a copy modified slightly for my site.