As the title already says, this blog post will describe how the MOD Team validates modifications and what happens to them before they come out at the other end of the queue.
Blog
Archive for the ‘Modifications’ Category
Less significant modification team changes
As previously stated every team will announce in what way it will be affected by the significant phpBB development changes. This post will explain the effects on the modifications team.
Versioning scheme
Since phpBB will be using a new versioning scheme we will adopt this scheme for all of our tools (AutoMOD, UMIL, etc).
MOD authors will be encouraged to use this new versioning system too. We will however be less strict in enforcing it. In fact, we will allow any versioning that is compatible with version_compare, so versions such as 1.0.0.0 will be allowed. We will still require it to be stable though.
Additionally we will release a new version of MODX to support this and adapt our tools where needed.
phpBB 3.0
Because phpBB 3.0 is not going to change we don’t have to adopt any changes. This will just continue as it has been so far.
phpBB 3.x
Depending on what changes will be made to the modding API we will assist MOD authors in using it and provide documentation. All in all, it will highly depend on how many changes will be made to phpBB itself. There are a lots of improvements we can think of, and we will try and get them implemented where possible.
We will allow submission of modifications for new phpBB branches once they are released. We will support the branches that are supported globally.
phpBB 4.0
The release of phpBB 4.0 is way too far ahead for us to be able to say anything at all about it. It is a fresh start and will possibly bring many new possibilities. We can be pretty sure that the new architecture will have an impact on modding that will change it fundamentally. We will wait and see. And work together with the development team.
The future
We have some great plans waiting for the MOD writing community. These include building more advanced infrastructure and tools, as well as making alterations to the MODX standard. We will work on making the workflows of modification engineering more efficient. More information will follow in due time.
– The Modifications Team
How (not) to use request_var
Note: This post is targeted at MOD authors and contains many technical details.
Introduction
Amongst the great security features that phpBB 3.0 provides is the function used for processing user input, request_var. This function was designed to make it easy to securely retrieve user inputted data. It is one of the most important security functions in a system that retrieves external data as it can (with caveats that will be elaborated upon) single-handedly stop XSS and SQL injection attacks dead in their tracks
The reason we have created this blog post is to give more information to modification developers on how to properly explain how this works and why you should use it.
3.0.6 CAPTCHA plugins and you
You probably have already heard about it: the next release will include a host of new features. This post will present one of them in detail, showing the idea and the impact on users, style and MOD authors.
Most admins are experiencing problems with spam, which is taking away lots of energy that would be better spent on the enjoyable parts of administrating a community. We tried our best in the arms race against spambot programmers, but have to admit failure with our previous approach. Since 3.0.x became as popular as it is, any default visual confirmation gets broken almost instantly. After long discussion in and outside the teams, we came to the conclusion that diversity is the answer: every board admin should be able to use a non-default anti-bot measure without it being a pain. Read the rest of this entry »
phpBB 3.0.6 plans
Here we are. phpBB 3.0.5 got released and work on phpBB 3.0.6 began. Previously, we concentrated on fixing bugs and only introduced tiny new features. This time, phpBB 3.0.6 will be a “feature” release, packed with numerous new, cool, stunning, breath-taking… err, just new features. 
We will now tell you which new features are planned for 3.0.6 and what style authors and modders need to take care of.
Guest Post: Starting your own MOD by A_O_C
MOD requests are common with each version of phpBB. Every user wants something different to make their board unique. The problem, however, is that there are more users than MOD Authors. However, with an understanding of PHP and phpBB, you can create your own!
What do you want to see on this blog?
I touched on this in an article at my own site last month, but it is worth mentioning here as well.
This blog currently covers a wide range of topics relating to how to run your forum (How many forums should I create?, How Many Moderators Do You Really Need?, etc), to technical aspects about phpBB and MODs (Injection Vulnerabilities, Templating just got easier, etc) and even general posts about the phpBB project itself (Talkin bout Area51, Londonvasion Re-Cap – phpBB Ascraeus, etc). We would like some feedback from the community to get an idea about the sort of things you would like to read in the blog posts.
Our questions to you is: are there any topics in particular you would like to see posted in the blog? Are there other categories of articles (besides the ones mentioned above) which we need to focus on more?
Please give us your feedback by replying in the comments box below.
Thanks!
Tutorial: Injection Vulnerability Prevention
Notice
Some websites have claimed this article discloses an “injection vulnerability” in phpBB. It does not. What this post actually does is provide an overview of vulnerabilities commonly introduced by third-party modifications to phpBB and discusses what the authors of said modifications need to do to protect their code against attack.
Despite being among the easiest of vulnerabilities to understand, injection vulnerabilities are also among the most common. For most users, they will simply manifest themselves as an error when select characters are used, but a sufficiently adept user may be able to take that error and exploit it to their advantage.
To prevent this from happening, one needs to properly sanitize all user definable variables. Unfortunately, the way one properly sanitizes a variable depends on where it’s being used. In this post, we’ll discuss how to sanitize variables for use in SQL queries and in HTML, in general and in phpBB3, and we’ll discuss what can happen if proper sanitization isn’t used.
Fighting CSRF
Cross-Site-Request-Forgery, short CSRF, is a type of vulnerabilities that gets more and more attention. The concept can be translated as “tricking the browser into automatically performing some action using the user’s privileges”. Let’s see what phpBB does about it.
Advantages of session integration
As the world moves towards Web 2.0, it is becoming increasingly important to have a dynamic website – something which most people are using the PHP language to achieve. Unlike the use of HTML by itself to create a website, HTML and PHP together allow a website to be much more flexible, such as connecting to a database.
If you are running a bulletin board based on phpBB3, then it is worthwhile considering the benefits of integrating your main website into phpBB3.