I've just hit this problem too. The previously published solution is complex, and involves modifying the DB after the lead record has been written. This also - as we now know - takes place too far down the track to affect anything in the notification emails and - often - data sent to other plugins.
Instead, as suggested above, I hooked into the much earlier "gform_pre_submission_filter", which triggers when the form is POSTed back, and before any processing is done. The code below is pretty basic (it'll run on every form - if you need something more specific, add a form filter check at the start) and just loops through the $_FILES array, replacing any filename it finds with a pseudo-random MD5 hash. (You could, obviously, replace this with any algorithm you wish to generate the filename.)
However, remember that as this happens long before the DB write, you don't have access to a Lead ID or any other DB-related data; any other submitted form data you want to use will have to be got the old-fashioned way directly from $_POST - be careful to properly escape any field you plan to redisplay or use in an unexpected way to avoid the creation of potential XSS or SQL-injection vulnerabilities.
// Force uploaded filenames to a unique hash BEFORE form is processed
add_filter("gform_pre_submission_filter", "wired_set_upload_filenames", 10, 1);
foreach($_FILES as &$file)
$oldname = $file['name'];
$newname = $oldname;
$ext = '';
$dot = strrpos($oldname,'.');
if ( false !== $dot )
$ext = substr($oldname,$dot);
$newname = md5( mt_rand().$oldname );
$file['name'] = $newname . $ext;
// Return form object
Hope this is of help to others in the same boat.
Posted 8 years ago on Wednesday May 1, 2013 | Permalink