PHP caches = good.

You might want to look at this benchmarks page if you are exploring PHP caches: … eview.html

Xcache is the latest and greatest open-source PHP cache, and seemingly the most up-to-date and well supported. It's what all the vBulletin kiddies are using nowadays to eke the most performance out of their hosting accounts.

Of those on that list, I've only used eAccelerator (installed in a VPS environment as a RPM = easy, so far trouble free).

You may also want to look at a simple PHP cache called jpcache - - as well. Unlike some of the others,  jpcache is relatively simple to set up and doesn't require the deeper level of system access to install that things like APC and eAccelerator do.

As a general guide to optimizing MySQL/PHP apps, the following is also a good reference I always point people to, even though it is focussed on the Typo 3 CMS. … rformance/

The page on PHP tuning at: … ce/page/4/

illustrates very well the virtues of using a PHP cache.


Peter wrote:

.. I'm very sceptical a few generic php scripts could have brought the server down.

Hah! I once worked with a young web programmer who, while he was learning PHP, regularly sent a quad-CPU web server to 100% CPU utilisation with just the simplest chunks of code. I had to spend a lot of time watching over the apps he was working on, and his access to our production web server at the time.

Aside from simple bad code, the main issue with shared hosts running PHP web apps is usually MySQL related:  too many open connections, too many simultaneous queries etc. MySQL can be such a pig. Minimise any queries your PHP app generates - via caching or turning off bells and whistles in your app (even in PunBB) - and you generally won't go far wrong.

It is interesting to watch the output of the 'top' command on a shared host with lots of users. Sure MySQL is there at the top of the CPU pile a lot, and PHP too less frequently, but both are regularly outdone by spamd (SpamAssassin) and exim (SMTP service) grabbing a LOT of CPU a LOT of the time.

Your host better be certain that PHP is the culprit in your CPU woes - it usually has a lot of competition for CPU on most shared servers.

PunUser wrote:

...and a Google search resulted many registrations with the same postings on many PunBB forums.

And lots and lots of vBulletin, SMF, phpBB etc forums too. A pretty virulent bot.

ProgonkaOne looks like a ban word to put in the 'censoring' list...

From  your Apache logs, can you tell where the bot came from when they first signed up, BTW?

I just came across this while poking about on the Invision site:

It's a quick visual guide to all the CSS elements used in the Invision 2.2 board, or as they say:

This guide has been created to give you an at-a-glance view of the names of the CSS elements that are used across IP.Board 2.2. The guide has been divided into different sections depending on what area of the board you wish to customise.

Very nice.

It would be very handy if the punBB CSS gurus could do something similar for 1.3 or even 1.2.14.  Would make things much easier and more direct for the rest of us [clumsy and hopeless] CSS amateurs.

That is unless someone has done something like this already.

You mean like Invision has?

It is quite handy. But there's always email too.

Or you could create a private forum within punBB where only moderators and admins have access as well. It would be just as effective.

More info on style modding, inc the header and footer issue, is also at:


of course:

It actually is quite easy to dev up a style of your own, esp by building up from style pre-built by tools like, or just modding some of the existing styles at

But I can see how for a new PunBB user, figuring it all out is hard going.

The documentation is obscure, and scattered all over. 

Every day I discover something new myself, and I've been using it for a while.

Coding is fun and intellectually exciting, whereas preparing documentation for users and other developers is dead boring and dull. Hence documentation is typically not great with a lot of open source coding projects, IMHO. Hence many of these projects are commonly accompanied by flourishing forums like this one smile

hcgtv wrote:

It's getting harder to keep track of the players these days, with so many CMS's being introduced.

Oh, it's easy to keep track of them.

Just sign up for any decent security newletter, like SANS @Risk ( or Secunia's.

In no time you'll be familiar with all the CMS's, old and new. smile

redneck wrote:
sirena wrote:

But I sometimes want to yell at people about this, along the lines of: folks, it's just Stuff. It's ephemera. It ain't worth a damn. You are wasting your life.

Wasting my life?  What else should I be doing with my life besides enjoying it to the fullest?

You got any better ideas, let me know.

The punBB forum prob. isn't the best place to develop this dialogue to its fullest, so all I will say is that 'enjoyment' defined as consumer consumption is probably amongst the thinnest of pleasures you can buy into.

Off on a tangent (sorry)...

Looking at this site, I am always amazed at the range of geekdom/fanboyism people get into.

Whether its guns, PC's/Mac/Linux, games consoles, motorbikes/accessories, 4WD's, coffee machines, militaria, mobile phones etc etc etc.

It seems to drive an awful lot of the web.

But I sometimes want to yell at people about this, along the lines of: folks, it's just Stuff. It's ephemera. It ain't worth a damn. You are wasting your life.

On your death-bed you won't be thinking about PS3 vs Nintendo Wii,  or Samsung Blackjack vs Treo 750, or regret the fact that you weren't able to spend more time and money pimping up your Subaru WRX or Ducati, or that you didn't get to buy a Barrett before they banned them.


fixed wrote:

I'm VERY concerned about it from a security perspective: I fear using it in the way I want will almost guarantee a forum security compromise.

There's some missing features I definitely want in it, namely:
- MOST IMPORTANTLY:  Ability to add/upload inline attachments (images mostly).

- An easy to use BBcode (or something) editor: not everybody knows how various tags work off the top of their head
- Private messaging system.  This may not be 100% required, but would be nice.

You do see the contradiction in this, don't you.

You want a secure forum package, but you also want a kitchen sink of features that expose your forum to stuff like uploaded binaries and another layer of potentially dodgy PHP in the form of a private message system....

All things being equal, more code = more bugs = more vulns. It's hard to have your cake and eat it too, esp. with complex PHP or other web apps. You may have to compromise a bit with your requirements.

FWIW, PuBB is quite secure, at least in terms of reported bugs, in it's vanilla default state:

And of course it would be remiss of me if I didn't remind you that security has many layers.

puBB or any other forum runs on top of and/or alongside a whole heap of other stuff that you also need to worry about in terms of security too.

Even if punBB's code was bulletproof, punBB could still be hacked via vulnerabilities in your O/S, router, database, web server, firewall, mail server, scripting engines, DNS server, file-system permissions being set wrong, weak passwords etc etc etc etc, not to mention any vulnerabilities in any of the other web apps (eg a CMS) you (or anyone else on your server) may be running.

Nice integration. Did you have any problems?

Spell check on home page: "your sensual resouce network".

'resouce' should be 'resource', unless 'resouce' has a special erotic meaning that eludes me smile

Also in the same paragraph: '.. please stay tune' should be 'please stay tuned'

In terms of content, I find the whole theme of the site rather juvenile.

Sensuality as you conceive of it seems to be just a catalogue of sexual positions. Huh? I'm sorry, but that makes the site very boring indeed.

A text editor (Crimson Editor for me) + SSH + SFTP (Putty + WinSCP) .

Oh, and a browser (FF2 with the Web Developer extension) and regular access to Google.

That's all the CMS you need.

Know your Enemy: Web Application Threats - Using Honeypots to learn about HTTP-based attacks

A recent paper by the Honeynet project that punBB and other PHP developers may find a good read.

From the precis:

"...This KYE paper focuses on application threats against common web applications. After reviewing the fundamentals of a typical attack, we will go on to describe the trends we have observed and to describe the research methods that we currently use to observe and monitor these threats. In Appendix A, we give actual examples of a bot (a variant of PERL/Shellbot), the Lupper worm and an attack against a web Content Management System (CMS) as examples that show how web application threats actually act and propagate."

Very useful.


(5 replies, posted in General discussion)

What sort of server or hosting account are you on?

Dedicated/shared/VPS? It's interesting to know the horsepower you had available to cope.

This gets my vote as a useful feature in the fight against forum spam (and blog comment spam) for sure.

Implementing it is one more small but useful step in making punBB a less attractive target for spammers.

It would be a nice feature for the punBB administrator to be able to optionally enable for all URL's submitted in forum posts and profiles.

Interesting to note that it is now moving towards being a W3C standard.

This has been raised before for punBB. If you are interested here's a patch to implement it in punBB:

Mmmm. Hentai galore too.

hcgtv wrote:


Being part of the project, I'm privy to the conversations the developers have, and I can say with certainty that they know their stuff. PunBB 1.3 will have it's bumps, no doubt, but you can rest assured that they will get ironed out very quickly.

Cool. I don't doubt the developers know their stuff. The robustness of punBB sure shows it.

punBB's robustness to date (IMHO) seems in part related to the 'leanness-by-design' Rickard has been pretty good at sticking to.

I just worry that with with greater code complexity of 1.3 (and more cooks) the probability of bugs/vulns in the punBB 'core' inevitably goes up.

I still have nightmares over my experience using the Mambo CMS several years ago. The core dev team kept expanding, the code base swelled, features mushroomed, and it became a hackers paradise and a web managers nightmare.

Optional add-ons and plug-ins will always be of highly-variable quality, but it would be good if the punBB core code stayed lean, mean and secure as things go to 1.3 smile

I know secure code is everyone's goal nowadays, but is it an explicit goal of the punBB 1.3 dev effort to improve on the security of punBB?

1.2.14 seems pretty good and stable, but I am worried that 1.3 - with its hundreds of new hooks, it's new this, new that - could also open a few new doors to exploitation.

I write this after reading in the latest SANS Consensus Security Alert ( of a batch of new exploits for common forum packages (but not punBB so far). They just keep coming, and all popular forums are pretty much under constant onslaught.

It would be nice to think extra security awareness was in 1.3, balancing out its new features...


(3 replies, posted in PunBB 1.2 troubleshooting)

What do your Apache server logs say?

Surely they must give you some useful information about this.

Specifically, have a look at a breakdown that shows pages viewed by visitor IP address for the day you noticed the guest numbers spike up.

That will help identify if you are being spidered aggressively, and/or whether there is some pattern to the activity that might be informative.


(30 replies, posted in PunBB 1.2 discussion)

Yann wrote:

.. but I think it was because of a too small key_buffer_size ...

What was the key_buffer size setting that worked best for you?


(5 replies, posted in PunBB 1.2 discussion)

Burnsy86 wrote:

...I need to know the best way to keep the forums secure to prevent any possible hackers.  Please help me! Thank guys!

The most fundamental way to run a secure punBB forum is to make sure the server sitting underneath it is secure - ie the server itself (O/S, Apache, MySQL, PHP etc) is appropriately hardened, regularly patched, regularly monitored, and has good defences - eg has a tight firewall running on it, and Apache is running a HTTP request sanitizer like mod_security...

My point is: if you can't be sure your server is secure, including ALL THE OTHER APPS AND SERVICES RUNNING ON IT, forget about trying to secure punBB.

It's that simple. The weakest link in the chain may not be punBB. Focussing just on securing punBB would be a big error.

As for punBB itself, some simple tips:

- choose complex passwords for MySQL and your punBB admin account, natch...
- run some sort of forum spam tool (one of the CAPTCHA mods or the Kismet add-on),
- MINIMISE your usage of punBB's many 3rd party add-ons, mods etc etc. These can introduce vulnerabilities.
- install punBB into a non-standard location (not '' or '').
- try .htaccess password protecting the key punBB admin PHP files
- check, tighten and recheck/retighten the users and permissions set on all your punBB files and folders to ensure
  they are as restrictive as you can practically make them (eg 0644 is nice for your files).


(9 replies, posted in PunBB 1.2 show off)

It is a fun look, with some innovative touches and nice detail work. Credit to them for all those elements. 

But it is slow, and relies too much on stuff like Flash and javascript for the site to work fully as intended, which is always a big risk. Bits of it don't work for me.

Plus it suffers from the IE6/ PNG transparency problem too, which makes it look crappy under IE6.

pluto198 wrote:

Thanks for the feedback...

sirena,  is it possible that you don't have javascript enabled in IE?  I have a javascript on every page that fixes PNGs in IE.  I've tested it on IE6 (XP SP2), and seems to be fine.  Even when you change the BG color with my style picker, the PNGs look fine on the new background.  That's very strange that it doesn't work for you.

Nope, javascript is running and working fine. IE6 on Win2k is what I use for my IE browsing.

IE does report the following (strange) script error though, FWIW:

Error:Access is denied.


which may be in your styleswitcher.js.

(I generally think it is not optimal to rely on a javascript to make simple images like this view properly, whatever the browser - just my point of view...).

The BG color changer works nicely, but doesn't alter the problem.


(3 replies, posted in PunBB 1.2 troubleshooting)

My mantra is: if something or someone acts suspiciously, block them.

Whether by IP address, user agent, referrer etc is up to you, depending on the means at your disposal.

I'd also suggest re-working your macbasementlogo.png image.

The transparency doesn't work in my Windows IE6. So what you end up with is a horrible looking light brown rectangle with '' written it it, showing off all sorts of ugly jaggies around the font too.

Not a good look.

It's a known problem:

Looks fine in Firefox 1.5 and Opera though.

Maybe a .gif would be a safer bet if you want that transparency to happen.

There is still a lot of IE6 about.