Skip to main content
Welcome guest. | Register | Login | Post

What do you think of phpbb2 plus?

59 replies [Last post]
supermike's picture
Offline
Joined: 2006-02-17
"free-zombie" wrote:

I know someone who wrote a script to spam phpbb

Yikes. Glad not many people know how to do that. I wouldn't associate with that kind of person. I'm glad that encrypted cookies are utilized along with a SID that unlocks a user record in the MySQL database. I wonder how I would prevent such things. I'd probably do:

* Block more than 4 new thread posts from that user in that forum per day, and more than 25 thread replies in that forum per day. Do this blocking by all of these avenues: ip address, username, and anything unique in the browser's signature as determined by the browser's header that gets sent with every form post. For the header technique, which is slightly unreliable, you'd have to put a block of something like 100 new thread posts in a given forum instead of 4, and perhaps 250 thread replies per a given forum per day instead of 25.

* Look for weaknesses in the phpbb code where the cookie for the anonymous user or another user could be tricked into being stolen and reused. Then, prevent it.

* Frustrate the spammer a great deal by requiring things a certain way, such as hypersensitivity on the field names, field order, case-sensitivity, and even a hidden form field that is only filled out after some obfuscated ECMAscript builds it on the fly and which is attached separated to the page from another ECMAscript that builds the filename on the fly and loads it. (Phew! Mouthful.)

libervisco's picture
Offline
Joined: 2006-05-04

Hey, some good ideas there. I also rather dislike the new bbcode interface and would indeed like something more minimalist. I might just return the old buttons..

I'll be working on all this tonight.

Supermike; if you'd like a testing ground I can install a new instance of phpbb2 in a subfolder if you wish?

Gonna talk more later..

free-zombie's picture
Offline
Joined: 2006-03-08

automated spam is probably best prevented by introducing some random, hardly machine readable emelemt - like "what does this image say" wierd-text things...
since "everyone" does that... how about "count the triangles" (in a picture with diffent shapes) or something ?

supermike's picture
Offline
Joined: 2006-02-17

libervisco, need to run to a baseball game for my little boy before my wife goes ape on me. *POP* there goes my netizen mode. However, if you build a subfolder and privately email me, I'll build the form and test against it tonight. Do you want it in plain HTML style or do you want me to have it hook up the rest of the elements on the page like normal? Hint: plain HTML is faster for me and you because you can then customize it easier to the way you want. Note you don't have to give me CVS, passwords, or special access. Just the secret URL. I can build the HTML submit form without all that.

Oh, and by the way, you all might not know it, but I discovered it today. You'll find that if you don't use quick reply, but click New Topic, you'll find that very long documents start slowing down, and down, and down. Something is going on with Javascript in the background, I suspect. The old phpbb didn't do that.

a thing's picture
Offline
Joined: 2005-12-20
"free-zombie" wrote:

automated spam is probably best prevented by introducing some random, hardly machine readable emelemt - like "what does this image say" wierd-text things...
since "everyone" does that... how about "count the triangles" (in a picture with diffent shapes) or something ?

But that discriminates against those without X.

supermike -
1. Lawl at what it did with POP.
2. NoScript is your friend Smiling

supermike's picture
Offline
Joined: 2006-02-17

athing, don't think I need noscript -- problem is in this phpbb with javascript when you type an extremely long message in any other mode besides quick reply. At least this occurs in Ubuntu Breezy.

libervisco's picture
Offline
Joined: 2006-05-04

Okay, I reinplemented the old bbcode buttons. I think that looks cleaner (and I will later style the buttons to look more cool).

If this is OK then maybe a new html form isn't necessary afterall, to spare you the job supermike. Smiling If you'd still want to give it a go I'll set a testing implementation up for you and let you know when it's ready.

"supermike" wrote:

Oh, and by the way, you all might not know it, but I discovered it today. You'll find that if you don't use quick reply, but click New Topic, you'll find that very long documents start slowing down, and down, and down. Something is going on with Javascript in the background, I suspect. The old phpbb didn't do that.

That is a classic problem I pretty much had with every system I used, sometimes even desktop word processors. I'm not entirely sure that has much to do with JavaScript. I think sometimes just refreshing the thing speeds things up (saving your text before of course).

I'm not a programmer nor have much in depth knowledge of JavaScript so I'm probably not the right person to debug and fix that.. That's probably something to be brought up to the phpbb.com or phpbb.de team.

"free-zombie" wrote:

I know someone who wrote a script to spam phpbb

Ah well.. there's lots of *possible* threats out there, but there's also an active development going on in phpbb project that meets those threats by security improvements. I am not sure how old that script you're talking about is, but it is likely that whatever hole it was using, that was already patched.

If I were to worry about every single malicious script I hear about and get into some kind of non-stop-paranoid mode, I'd never get any real work done around here. I'm not a security expert nor a professional coder. I'll leave that job to those who know it better, the phpbb development team..

So yeah.. let's just focus on this theme here, improving our Nuxified.org experience. Smiling

free-zombie's picture
Offline
Joined: 2006-03-08

I wasn't referring as a threat, but to the easiness to write an alternate form... originally :S

libervisco's picture
Offline
Joined: 2006-05-04
"free-zombie" wrote:

I wasn't referring as a threat, but to the easiness to write an alternate form... originally :S

Oh I see.. sorry.. Well I guess then that's good actually. Smiling

supermike's picture
Offline
Joined: 2006-02-17
"libervisco" wrote:
"supermike" wrote:

Oh, and by the way, you all might not know it, but I discovered it today. You'll find that if you don't use quick reply, but click New Topic, you'll find that very long documents start slowing down, and down, and down. Something is going on with Javascript in the background, I suspect. The old phpbb didn't do that.

That is a classic problem I pretty much had with every system I used, sometimes even desktop word processors. I'm not entirely sure that has much to do with JavaScript. I think sometimes just refreshing the thing speeds things up (saving your text before of course).

I found it. The problem is in this textarea statement:

<textarea name="message" rows="15" cols="35" style="width:450px" tabindex="3" class="post" onselect="storeCaret(this);" onclick="storeCaret(this);" onkeyup="storeCaret(this);"></textarea>

...which calls this:

function storeCaret(textEl) {
	if (textEl.createTextRange) textEl.caretPos = document.selection.createRange().duplicate();
}

...from inside the posting.php page. There's something inside this Javascript that seems to get slower with the more lines you write, but didn't have this problem in the last phpBB-based forum that nuxified.org had previously.

I'm also wondering if all the animated GIFs are sucking resources on my PC, making the problem worse.

supermike's picture
Offline
Joined: 2006-02-17

I also think that posting.php should be edited so that you comment out the code from:

<tr>
<td width="22%" align="right"><span class="explaintitle">Description of your topic</span></td>

...to...

<input type="radio" name="post_icon" value="0" checked="checked">&nbsp;No icon&nbsp;&nbsp;
</span>
</td>
</tr>

...as a test. This gets rid of the description of the topic -- which is not really that necessary, as well as the annoying message icons.

Next, the column for the emoticons could be eliminated and you could just create a button to load a popup window for the same thing. Besides, most people can just type the emoticon-language ourselves by now and most of us "get it". Overuse of emoticons, IMHO, is better suited to livejournal.com and myspace.com.

Does anyone agree?

a thing's picture
Offline
Joined: 2005-12-20

I agree.

free-zombie's picture
Offline
Joined: 2006-03-08

hmmm. I can't seam to change my sig. (I've corrected that spelling mistale 2 or 3 times now)

dylunio's picture
Offline
Joined: 2005-12-20

supermike, that sounds good.

libervisco's picture
Offline
Joined: 2006-05-04
"supermike" wrote:

I found it. The problem is in this textarea statement:

<textarea name="message" rows="15" cols="35" style="width:450px" tabindex="3" class="post" onselect="storeCaret(this);" onclick="storeCaret(this);" onkeyup="storeCaret(this);"></textarea>

...which calls this:

function storeCaret(textEl) {
	if (textEl.createTextRange) textEl.caretPos = document.selection.createRange().duplicate();
}

...from inside the posting.php page. There's something inside this Javascript that seems to get slower with the more lines you write, but didn't have this problem in the last phpBB-based forum that nuxified.org had previously.

I'll look into it then.

"supermike" wrote:

I'm also wondering if all the animated GIFs are sucking resources on my PC, making the problem worse.

I doubt it. They're just too small to suck out resources, except if you're on old 486 with 33 Mhz processor. Eye

"supermike" wrote:

I also think that posting.php should be edited so that you comment out the code from:
(...)

Done. Smiling

"supermike" wrote:

Next, the column for the emoticons could be eliminated and you could just create a button to load a popup window for the same thing. Besides, most people can just type the emoticon-language ourselves by now and most of us "get it".

My concern with that is that most of people used to phpbb are used to have a few of basic emoticons available on screen, a single click away. Hiding all of them from view and requiring them to click to get a pop up to choose one may not be what everyone will like.. So I'm not sure yet... I removed the description field and the topic icons. Does it really have to be more minimal?

"free-zombie" wrote:

hmmm. I can't seam to change my sig. (I've corrected that spelling mistale 2 or 3 times now)

Fixed. Just click on "edit signature" button in your profile and enjoy.. editing signature. Laughing out loud It works now.

Cheers

libervisco's picture
Offline
Joined: 2006-05-04

I should really be sleeping now, but hey.. I wanted to throw this in..

The portal now finally looks good. No more blocks with text that is too big and out of balance with the rest on the page. The tips block as well as GNUs (news) block is upthere too. Smiling

I'd say it's all looking better now.

Now all this tinkering with the insides of phpbb (mostly theme, but also a few files from the rest of it) and even searching on php.net documentation trying to figure out how to do something (like integrate that tips and GNUs feeds inthere) is naturally getting me kind of more familiarized with php, in addition to html.

That's why I am having this idea popping up in my head to have that as sort of a hobby project which would be my first programming hobby project. The project would be about making my own version of phpbb, possibly at some point even making my own modifications and then taking the whole thing off in my direction into a new phpbb2 based forum software. I'd call it "NuxBB". Smiling

It could be a good way to finally start learning some programming, especially php which I badly need and at the same time benefit this site because that board ought to be perfect for Nuxified.org at some point. Smiling

Though another possibility is to study punbb and make my own full-featured version of that.. well I'll see...

That's actually pretty offtopic so there.. I spilled it out, now cya after sleep (when I'll be working on replacing those images, addressing that javascript issue per supermike's suggestion, some styling improvements, etc.). Wink

Cheers
Daniel

supermike's picture
Offline
Joined: 2006-02-17

Go, Daniel! Do it! Do it! Learn PHP! You'll really like it, I think. However, if you ever want to write software, I think you should find a good PHP framework out there and learn that first. Find the thinnest PHP framework that doesn't get in your way and yet does a fairly good job of abstracting presentation layer work from application logic. And, along those same lines, avoid XSLT like the plague -- it slows a system down.

I'm working my 4th year on a software project in PHP, with the entire project's logic taking 10 years to think out. I wish now that I had found this thin PHP framework and started using it awhile back. (BTW, I'm still looking for that ideal, thin PHP framework.) You see, my software is not only going to be an app that businesses can use, but a platform that I hope developers will build upon. I only wish my 1.0 version could have used a thin PHP framework so that my app logic didn't mix so much with presentation layer work. Developers who purchase SDKs often do not like projects that mix presentation layer and application logic stuff. I'm afraid I'm going to have to have the project grow before I write the 2.0 with a thin PHP framework.

As well, I hear that it's better to program with PHP ADODB functions, which tries to provide a single database API that can be used to talk to multiple kinds of databases. Or, at least put all your DB calls in a separate file and never use straight database API in your other pages -- do it all through this separate file. That way, you can edit one single file and make your app talk to a different database, somewhere down the road.

P.S. Any luck in ridding the NuxBB of the emoticons in the left part of the New Topic and Reply forms?

Offline
Joined: 2005-12-20

I am learning PHP too, is it good for apps as well as websites?

Hope so, cos i am getting a smartphone, and want to be able to code on that as well Laughing out loud

tbuitenh's picture
Offline
Joined: 2005-12-21
"onlinebacon" wrote:

I am learning PHP too, is it good for apps as well as websites?

No, it isn't. PHP means "PHP: Hypertext Preprocessor". I think that makes quite clear what it is intended for. But after learning PHP, Perl and C shouldn't be too difficult to learn.

Offline
Joined: 2005-12-20

Oh great, thanks tbuitenh Smiling

supermike's picture
Offline
Joined: 2006-02-17

Yeah, PHPGTK just isn't "there" yet. Might be in the future. When I have to make an app (fat client) on Linux, I throw it together in Python, PyGTK API, and use Glade-2 to draw the GUI. I'm not a pro in Python, so sometimes I shell out to Bash, run something there, then collect the output and redisplay in the GUI. Is not the most ideal thing -- Python purists would rather I not do that.

If you're ever interested in doing that, look for a short tutorial on the web and then grab one of the control panels used in Fedora. Look for a *.py script on the hard drive that has a *.glade file in the same directory. From there you can sort of figure it out. That's how I did it.

libervisco's picture
Offline
Joined: 2006-05-04

Thanks for the tips and encouragement supermike. Smiling

I'll search and explore available php frameworks for GNU/Linux keeping your advice in mind. At this point I'm not really going to write my own stuff from scratch, but rather modify existing code as I learn until I'm able to hack it with more and more of my own code.

It's not a priority though since Libervis Network keeps me busy, but considering it would be beneficial for the management of the network to know it, I'll probably dedicate some time to that too. Smiling

Cheers

Offline
Joined: 2006-03-28

PHP is quite cool, and pretty easy to learn. Especially when you already have some experience in another language, preferrably C, since it's quite similar.
And you can really do a lot of things with it, even network-stuff like pings and portscans. Smiling
Since I'm really not into Perl I sometimes use PHP for shell-scripts, but also for me the main use is generating HTML-output.
Currently I'm working on a quite big portal which uses my website as base. Too bad I really had to mess up my code to give it all the tweaks the company wants. Well, my site still has the "pure" code and will always be one or two steps ahead. I hope to have it up again soon, but I want to check some of my scripts first before I upload it.
Hmm, I drifted off a little. There's some settings for PHP which I really suggest to set right from the beginning, can avoid some traps later on. Especially register_globals and allow_url_fopen should be off. For security-tests it can be useful to turn these on to see if there's no undesired behaviour when some bad stuff is passed to the script.

libervisco's picture
Offline
Joined: 2006-05-04

Thanks reptiler..
From the looks of it php doesn't seem all that hard if I'd just get my head into it which is why I'm kind of glad you say it is similar to C because I'd definitely like to get to that one at some point as well.

I guess php will be my starting point. I already was reading stuff about python before so I'm not all that new to programming, but I haven't yet mastered any language yet.

Supermike, I've taken a look at that javascript you've pointed to and franky.. I'm not sure what should I do about it. I don't seem to experience much slowdowns myself, and I'm not really sure if the slowdown is caused by phpbb javascript.. I could research on it a bit more around the web and phpbb forums if you'd like, possibly submit a bug report if it can with certainty be identified as a bug.
As for removing emoticons from posting page, what do all others say to that? What about newbies that could come in and are used to having emoticons on the same page in phpbb?

Anyway, I've replaced the most prominent images with subTango styled ones, as you can see.

How does all this look now? A bit too cluttered maybe or you think it's OK?

Thanks
Daniel

libervisco's picture
Offline
Joined: 2006-05-04

I've reimplemented the jabber and "OS/distro used" feature (as you can see in your profile).

That pretty much brings us back to normal user interface wise.. Not ALL images have been replaced with subTango ones, but pretty much all that you can usually see have been (the other ones show in special cases, like when someone selects absence mode). The rest will come too.

Btw, per request I've also added an European Union, Bavaria and Wales flags to profiles for selection. Eye

Cheers!

dylunio's picture
Offline
Joined: 2005-12-20

Thank you libervisco :-D

dylunio

free-zombie's picture
Offline
Joined: 2006-03-08

donk'schee libarvissko !
*this dialect is stupid, but I'm wearing the flag after all*

supermike's picture
Offline
Joined: 2006-02-17

Anyone up for widening the reply form's body text field and increasing it's font slightly? It's a bit too thin for my tastes and makes it hard to write some of these larger docs that are not just short responses.

libervisco's picture
Offline
Joined: 2006-05-04

Indeed, if anyone else would like that I'll try to make it. Smiling