There's really no good way to do this, which is why it isn't done. Kusaba's default DB schema is as follows:
| file | varchar(50) | NO | | NULL | |
| file_md5 | char(32) | NO | MUL | NULL | |
| file_type | varchar(20) | NO | | NULL | |
| file_original | varchar(255) | NO | | NULL | |
So you have a 255 character limit on the original filename, the default linux FS which is ext2, 3, or 4 has the same limit which is good, and the URI limit is larger than that. Great, however the file, not file_original is the stored and referenced field in the DB with a limit of 50. That can easily be changed in the DB, or you can change the variable used to the file_original. To do this you need to sanitize user input, being the file name. Thinks you don't want in it:
. .. / ? * ) ; ' " & && | -- and so on. This could allow for a user to maliciously or unknowingly inject PHP code, overwrite files like board.php in the specific directory like /k/ as kusaba has RW permissions to it, or inject SQL, which is where the ' ) ; and -- come in. -- is a comment in SQL, which can be exploited in some cases where PHP ignores it but SQL executes the query. In all it should be fairly trivial to escape these characters or remove them.
Appending a unix timestamp, seconds since epoch, in combination with the board name should obviate any concerns over duplicate filenames, but since you're disallowing Kusaba to use an auto incrementing value, you'll also need to ensure it doesn't exist first. Not a large hurdle but more IO operations.
The reason Kusaba stores it as a numerical string is filesystem abstraction much like linux has VFS as an integral part of the kernel, users have indirect means of accessing the FS and many of the FS specific concerns are left to the kernel, this is generally thought to be a good thing.
Message too long. Click here
to view the full text.