UBB.Developers Forums UBB.threads 6 V6 Modifications V6 Mod Ideas req:attachments shown in posts like in VBulletin

Would be nice to have a mod for UBB Threads that will display an attachment 'nicer' within a posting, like it does in VBulletin.

The default method of UBB just says 'attachment' at the top of a posting. It doesn't say what the name of the attachment is, what type of file it is, and doesn't display a little icon corresponding to the type of file (ie. little pdf icon or ms word doc icon). The little icon is just a nice luxury, but it sure would be better to have something like:

Attachment: newsletter.pdf (540KB)(downloaded 4 times)

or such at the bottom of the posting, rather than the
UBB default of 'Attachment' and no other info.

This needs to be updated - but I did this a while ago back for version 6.1. I was still learning so the code is probably sloppy..... but it worked.

Gave File Size - and Icon for the type of file it was.

Here is the link for it:
https://www.ubbdev.com/forum/showflat...=true#Post54633

Thanks for the link.

Curious that the default UBB attachment display is so weak in a mature product.

The VBulletin method is the logical method of displaying and linking attachments. Baffles me why UBB does it their way.

Attachment: newsletter.pdf (454KB)(4 downloads)

just makes so much more sense than

#9 date/time 'Attachment' (filename ?)(4 downloads)

Why display the download number (ie. #9)?
Why NOT display the filename of the attachment ?
Why not pickup the filesize and display that (a dialup user would want to know before downloading a 5MB file) ?

Baffling.

Although it's not air tight the reason the name isn't given is that then users could bypass the download script with a little effort on their part. Clicking on the link to the attachment enables the download script to check the access of the user before transfering the file.

More could be done to really make this a lot more secure at some point. I'm looking forward to that time.

one reason the file name is hidden is that it's obvious where the uploads directory is in both threads and vb. Knowing the name of the attachment will allow someone not logged in to download any attachment because they would know the name of the file. The way threads handles it keeps your attachments only for logged in users should you choose to protect them like they do here

IP numbers aren't meanlingless to most people who run forums.

The way attachments are handled is a personal opinion, but I like the way they are done here

I am an asp programmer with vbscript and not yet up to speed on php, but in asp I have a download script that I programmed. I display the name of the download on the web page. When clicked, the name of the file is passed to my download.asp program, which checks the username and password against an SQL database, and if valid and logged in properly, the download.asp file will serve up the requested file (the user doesn't even know the actual server directory where the file is stored, and it is never displayed to them. Even when using tools to see the actual raw http Get/Post/etc.).

I name my download directory something non-guessable like
/asdf90qw3357e-0rsaa

It should be do-able, and shouldn't take much coding in a hack. I wish I knew PHP.

Yeah, but alot of people can easily guess /uploads/whatever.gif or the like of the location and manually enter it into the browser - bypassing the download script.

I think the file size should be added though. Although unlike my mod - it should be reworked to store the size in the database. As on a busy site with alot of attachements, I belive reading the file size can add alot of disk slamming for sure.

The number displayed isn't the Download number - it's the number of downloads. So you can tell something is popular if it's been downloaded x times. We use it here with modifications - so you can see what mods have been downloaded the most.

Put this in my edited post above, but will put it here also..

I name my download directory something non-guessable like
/asdf90qw3357e-0rsaa

And as I said, the way asp/vbscript works, my download.asp program 'grabs' the file from that directory, and serves it to the client browser without telling them the directory name where it came from. Directory path is not given to the client in any way (doesn't show up with raw http tools, property checks, and even programs like Getright or Flashget which try to resolve the real address).(this is on Win2000/2003 servers IIS 5/6).

Good point about the file sizes in the database. As long as it is cached in RAM there, it will save disk hits.

The best solution is for the downloads to be placed outside the www root. The download script would need to send the correct headers and feed the downloaded file to the user. This would allow for the actual name of the file to be displayed since only those with access would be able to download it. There would be no way around this. (unless they have ftp access to your server of course) lol

The problem with making a hard to guess directory name is that if they have access to some downloads they then can figure out what the directory name is anyhow and then download other files they don't have access to. (provided they have the names of them)

Having a directory outside the webroot is a good idea.

Also, you are correct, if you freely give out the hard-to-guess directory name with other downloads, then you are not hiding anything. This would seem obvious. In the download area I setup, I don't do this. I always download only via the download.asp script, so the directory name is never given to the client. Then only see http://...../download.asp?newsletter.pdf and not the resolved true location of the file. IIS5/6 serves the file to the client and never shows them a resolved url. This is a solid type of anti-leech script.

I wouldn't mind seeing the .threads download script fortified more. Perhaps in time.

Yeah, even using a "download script" - I know on the mac you can right click and open it in a new window - then I would see the "real" URL.

Download script should be made to use Group Access - like we do here - standard.

Any php superstars willing to code this ?

Basically something like:

(icon) Attachment: newsletter.pdf (2MB)(35 downloads)

downloaded from a secure directory out of the webroot.

I predict I will be up to speed in 6-12 months to be able to attempt this in php (in vbscript I could do it now). Anyone want to volunteer to code this cool hack sooner ? Sounds like Josh already has it half written.

Yes, I could probably update my other mod.

Got a little client backlog right now - (I was on vacation last week and it caused things to pile up) - so I can't tell when I can get it done. But I'll put it on my list.

Great.