Contact Enhanced allows your user to upload Multiple Files at once, with multiple file selection, progress bars and validation. The files are uploaded via Ajax, so the form will be processed much faster (version 3.2 and newer).
1. Select Components → Contact Enhanced → Form Fields from the drop-down menu on the back-end of your Joomla! installation, then Select Multiple Files from the Field Type select list;
2. Choose a category for your Form Field, then Save the changes.
3. Configure the options under the Multiple Files Parameters tab. Available
Now Contact Enhanced will record all messages with attachments over 2Mb, even if you have the Auto Save option disabled. In the email you will see links to the download the attachments. The links are encrypted so users will not know the path to the uploaded file neither the real filename, therefore no malicious user will be able to upload an executable file and execute. This is just an extra layer of security because you already have the whitelist feature in the Multiple File Upload Custom Field.
Security warning: A lot of security measures have been taken to avoid malicious users to execute uploaded files, however to increase security it is CRITICAL that this directory is NOT accessible directly via the web. The default uploaded files directory is /administrator/components/com_contactenhanced/uploadedfiles but you can change to a location OUTSIDE the web site root directory. In order to change the uploadedfiles directory edit the CE_UPLOADED_FILE_PATH define in this file /components/com_contactenhanced/defines.php. In Linux server it will look something like this:
But if you must have it in the web directory (and you are using Apache AND the web server configuration allows .htaccess files to restrict access to directories) then protect it by creating a file in the uploadedfiles directory called .htaccess, containing these lines bellow or just renaming the htaccess.txt file located in that folder:
order deny,allow deny from all
If you are using IIS, you need to edit the properties of the data directory (from the Internet Information Services Manager console) and deny access to that folder to everybody from the web (i.e., to the user IUSR_computername, where computername is the network name of the computer Joomla, and the data directory, are on).
If you don't protect the data directory from direct web access, anybody can access and execute files uploaded by Contact Enhanced forms. If you do not allow your users to upload executable files or scripts (exe,php,dll,...), you should not have any problem, however it is always good to be safe! :-)