Skip to:

Re: Proposed method for file attachments and uploads



Progress is excellent, way ahead of schedule, should have a public demo Saturday night (24 hours or so).

Working on a auto-thumbnail method now for image uploads.

I’ve come up with some extra security features like the files are not directly publicly accessible (stored in non-webroot directory) so they never get fed through the parsers and cannot be executed (ie. .php .html .asp) even if someone manages to trick a file extension or mime somehow. The only downside to this is that the files must be “dumped” through PHP (readfile) which will keep the PHP session open longer but unless you are serving multi-megabyte files at high traffic rates, this should not be a big issue (optionally you can make the files directly accessible off the web if this is critical issue).

As a bonus the above method makes hotlinking impossible as you can set attachments as accessible to logged-in members only.

Skip to toolbar