Like you wrote: [size=7]Large text[/size]
26 2009-03-30 18:24
Re: After upgrading to 1.3 does not understand some BBCode (9 replies, posted in PunBB 1.3 troubleshooting)
27 2009-03-30 16:51
Re: After upgrading to 1.3 does not understand some BBCode (9 replies, posted in PunBB 1.3 troubleshooting)
http://www.pepak.net/files/punbb/bbcode_size.zip
Supports the same sizes as <FONT SIZE="..."> attribute: 1..7, +1..+3, -1..-3. Rewriting it to other sizes should be trivial, you won't even need the callback (though you can use it).
28 2009-03-30 16:50
Re: Integrating PunBB into a generic CMS (6 replies, posted in PunBB 1.3 discussion)
URL changed to:
http://www.pepak.net/files/punbb/studna.zip
This one should be permanent.
29 2009-03-30 13:02
Re: After upgrading to 1.3 does not understand some BBCode (9 replies, posted in PunBB 1.3 troubleshooting)
Remind me by posting the request once more, please. I can't do it now but will be able to do it in a few hours, if I remember.
30 2009-03-28 05:54
Re: After upgrading to 1.3 does not understand some BBCode (9 replies, posted in PunBB 1.3 troubleshooting)
If you want it, it's one line in hook ps_do_bbcode_end.
31 2009-03-27 10:22
Re: theme :) (6 replies, posted in PunBB show off)
It is very pretty, but rather hard to read - the background should be darker, IMHO.
32 2009-03-26 21:24
Re: Integrating PunBB into a generic CMS (6 replies, posted in PunBB 1.3 discussion)
Hmm, looks like the readme file is gone. Will have to rewrite it sometime.
Meanwhile, the extension is here: http://www.pepak.net/files/punbb-studna.zip
Basically, what needs to be done:
1) The extension should be unpacked in your <b>extensions</b> directory
2) Files in <b>modified</b> should replace original PunBB files. The changes are minimal (just compare the files) but need to be done.
3) Queries and URLs in <b>manifest.xml</b> need to be rewritten for your users-table and your URLs. Our engine is based on a really prehistoric PHP-Nuke. The whole point of this extension is that it isolates all references to user tables so that they can be modified easily.
4) Update your users table to contain all PunBB fields that are not present in your current table.
5) <b>all_users_fields</b> contain a fieldset part of a SELECT statement that returns all fields in users-table. You will notice that for the most part, it is just "my field renamed to PunBB field", with a few special cases (e.g. PHP-Nuke used a really stupid user_regdate format).
6) <b>users_fields_translate.php</b> contain a translation layer between PunBB fieldnames and your users-table's fieldnames.
33 2009-03-24 21:29
Re: Database in static page (9 replies, posted in PunBB 1.3 discussion)
Add
define('FORUM_SHOW_QUERIES', 1);
to the end of your config.php. This will display performed queries and you can check what's wrong with them, e.g. in PhpMyAdmin.
34 2009-03-24 19:56
Re: How do MySQL queries in PunBB work? (14 replies, posted in PunBB 1.3 troubleshooting)
<a href="'. FORUM_ROOT .'viewtopic.php?id='.$cur_post['id'].'" title="View Replies" >'.$cur_post['num_replies'].' Comments</a>
links to the post id not to the topic id. How can I fix that?
Are you sure? It sure looks like a topic link.
Maybe (MAYBE!) it should be $cur_post['topic_id']?
35 2009-03-24 19:53
Re: How do MySQL queries in PunBB work? (14 replies, posted in PunBB 1.3 troubleshooting)
pepak wrote:What's the problem? Building a real query is hardly any more than concatecating all keys and values into one string.
Just because you may be familiar with php and SQL does not mean that everyone is.
Well, I guess - but really, if someone is unfamiliar with both PHP and SQL, how can he ever hope to make meaningful changes to the code?
36 2009-03-24 19:51
Re: Database in static page (9 replies, posted in PunBB 1.3 discussion)
You shouldn't use $forum->query but $forum->query_build.
37 2009-03-24 05:45
Re: How do MySQL queries in PunBB work? (14 replies, posted in PunBB 1.3 troubleshooting)
What's the problem? Building a real query is hardly any more than concatecating all keys and values into one string.
38 2009-03-21 20:04
Re: Integration (4 replies, posted in PunBB 1.3 discussion)
You can use my extension as a basis - I wrote it to integrate PunBB into my website (based on a prehistoric PHP-Nuke). It certainly won't work for you without heavy modification, but it does at least isolate all hooks that need to be checked.
http://punbb.informer.com/forums/topic/ … neric-cms/
39 2009-03-21 05:48
Re: The migration to utf-8 delete text, data loss! (39 replies, posted in PunBB 1.3 bug reports)
Are you sure that these ALTER queries will work on PostgreSQL and SQLite?
I fail to see how that is relevant - database conversion code will almost certainly need to be hard-coded for every database separately. That is, if you want a reliable code.
It was not me who designed db_update.php so I can't explain its logic in details. To tell you the truth, I'm still confused a little with all these encodings and collations in databases. But I want to fix bugs if they exists and will continue investigating.
Well, my main database is Firebird so I can't really tell you details about PostgreSQL and SQLite.
With MySQL, you don't care what encoding the data is stored in the database. All you need to do to get UTF8 output, regardless of encoding actually used by the database, is:
1) Make sure table structure matches table data. Which is NOT the case with many PunBB 1.2 installations, including mine - PunBB 1.2 did not create the tables correctly.
2) Make sure SET NAMES utf8 is called before any other SQL command.
Even if #1 is not satisfied, this approach will not lead to data loss on old data - old posts will simply display incorrectly, but as soon as table structure is fixed to match the data, everything will be fine.
Upgrade script uses a much more dangerous approach of reading all data, converting it to UTF8 and writing it back.
40 2009-03-20 20:27
Re: The migration to utf-8 delete text, data loss! (39 replies, posted in PunBB 1.3 bug reports)
Actually, the update script asks the encoding of the language pack before updating. Then it converts posts to UTF8 by calling this function for every post:
http://punbb.informer.com/trac/browser/ … e.php#L231
And then it tells MySQL that the data encoding is UTF8.
And if old charset is NOT ISO-8859-1 and neither iconv and mb_convert_encoding exist, leaves the string unchanged but tells MySQL that it is UTF8.
What the upgrade should do, and what WOULD be foolproof provided that the user tells the correct encoding, would be a sequence of ALTER TABLEs:
1) ALTER TABLE ... ALTER [string_field] BLOB
2) ALTER TABLE ... ALTER [string_field] [original_type] [user's_encoding]
3) ALTER TABLE ... ALTER [string_field] [original_type] CHARACTER SET utf8
Or even just steps 1 and 2, those would suffice and might be even safer. Conversion to UTF8 can be done on-request thanks to SET NAMES utf8.
41 2009-03-20 14:41
Re: The migration to utf-8 delete text, data loss! (39 replies, posted in PunBB 1.3 bug reports)
No wonder the users are losing their data!
What this function does is, it assumes that there is UTF8 data in the table and modifies the structure to match that. If the assumption is wrong - and it will often be wrong - it will simply take data in current encoding and tell MySQL that it is in fact UTF8. Which leads to data loss in itself, and if it just happens that the source data contain sequences not permitted under UTF8, the string will likely get truncated at that point. When I was upgrading to 1.3, for example, my data was in cp1250...
42 2009-03-20 14:35
Re: The migration to utf-8 delete text, data loss! (39 replies, posted in PunBB 1.3 bug reports)
As far as I understand the update script works just like you have described:
http://punbb.informer.com/trac/browser/ … e.php#L338
The difference is that the script does not know the correct charset and I see no easy way for it to recognize it.
43 2009-03-19 05:38
Re: User Inuput Validation (17 replies, posted in PunBB 1.3 troubleshooting)
I believe you'll find that statement is incorrect, if I remember correctly. Prepared statements are, (from memory), an extra layer of protection but not a foolproof one.
Only if you use them the same way you would use regular queries, which of course completely defeats their purpose and all their advantages.
pepak wrote:I agree generally, but I do think that there are cases where rigorous validation isn't worth it. E-mail-like logins for various IM services are one such case.
Rigourous validation and sanitisation is *always* worth it. Any other approach is, inevitably, at some point in time, just putting up a big sign asking for problems.
I would appreciate if you kept to the arguments at hand. We were talking about validation. Now you add sanitization, which is a whole different matter: sanitization cleans data from possible malicious parts (and obviously needs to be done every time), validation only makes sure that it is formatted in a certain way (and experience shows that you will almost always find valid inputs which are formatted differently than you expected).
If you wish to take the haphazard approach personally, then by all means do so. A project such as this should have no coding practices such as those inplace, however. Security is paramount.
Is it? Really? There are great many avenues to improve security, but it could be argued that many of them increase it only marginally while increasing costs a lot. Or that some of these approaches would add more security and should be done first - e.g. those prepared queries, or different database account for administrators (EVERY database should have at least three users - owner, who can not login from the web server, admin, who can modify everything but can't e.g. drop tables or databases, and user, who can only read and write what's necessary for him to read). Input validation is nice to have, certainly, but its importance is relatively low if rigorous sanitization is done on output.
44 2009-03-18 20:06
Re: User Inuput Validation (17 replies, posted in PunBB 1.3 troubleshooting)
It's always possible to miss escaping sql input,
Actually, if developers (in general, not specifically of PunBB) finally started to use prepared statements, the whole problem of SQL injection would go away.
I see it as a line in the defences, backed up by escaping the sql and the output etc. It should be standard coding practice to check all input is at least within reasonable bounds.
I agree generally, but I do think that there are cases where rigorous validation isn't worth it. E-mail-like logins for various IM services are one such case.
45 2009-03-18 17:37
Re: User Inuput Validation (17 replies, posted in PunBB 1.3 troubleshooting)
pepak wrote:Validating e-mail isn't exactly easy to do.
The old devs managed it perfectly well where 1.2 was concerned, so I see no reason why 1.3 should be any different.
I should have said "Validating e-mail properly"
pepak wrote:With most of these values, I pretty much fail to see their importance. So someone enters a wrong homepage or wrong AIM - where's the harm? It only hurts him, nobody else.
The point is? The input is invalid. Pure and simple. Consequence is irrelevant.
Is it? And if he enters a semantically valid but non-existent ID, or ID belonging to someone else, then what? Should the system complain, too? Why bother?
If an internal zone is set up incorrectly, that is not for PunBB to decide. A domain should be in the form of *.*. Only localhost is exempt from that rule.
What if I don't use a domain for my webpage?
46 2009-03-18 14:35
Re: User Inuput Validation (17 replies, posted in PunBB 1.3 troubleshooting)
I believe an invalid url message would be good, as with the Messenger / AIM etc they can only be email addresses (I think!) so force them to be. This should be the attitude to everything wherever there is input.
Validating e-mail isn't exactly easy to do.
With most of these values, I pretty much fail to see their importance. So someone enters a wrong homepage or wrong AIM - where's the harm? It only hurts him, nobody else.
47 2009-03-16 10:15
Re: Private forum - Display forum in forum list but not allow topic views (3 replies, posted in PunBB 1.3 discussion)
I am only guessing now:
- Assume that there are two groups of users, "privileged" (have access to the extra forums) and "regular"
- Only allow "privileged" access to your forum (just as it is now)
- Create a new forum with the same name. Prevent "privileged" from even reading it (so it doesn't appear in their list), allow "regular" to read the forum but not write
- Create one topic in this forum to explain that "All topics are hidden. If you want to see them, do this and that."
This should do the trick: Your regular users will see the "fake" forum with explanatory message, but they won't be able to do anything with it. Your privileged users will not see this fake forum but another forum (with the same name) where they can normally post.
Let me know if it works. It should.
48 2009-03-15 14:24
Re: md5 (?) encoded ip addresses (32 replies, posted in PunBB 1.3 discussion)
You may need to implement a few more hooks (I didn't actually check what's needed to be done to work with hashed IP addresses), but the simple XML above solves all calls to function get_remote_address without having to modify any source code of PunBB.
49 2009-03-15 14:22
Re: md5 (?) encoded ip addresses (32 replies, posted in PunBB 1.3 discussion)
Yes. But if you used the hooks, you could avoid any change in the source files - your modification would hqave a form of extension then.
extensions/HashedIP/manifest.xml
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE extension SYSTEM "ext-1.0.dtd">
<extension engine="1.0">
<id>HashedIP</id>
<title>HashedIP</title>
<version>0.1</version>
<description>Don't store IP addresses but their hashes.</description>
<author>Head_Lice</author>
<minversion>1.3dev</minversion>
<maxtestedon>1.3</maxtestedon>
<hooks>
<hook id="fn_get_remote_address_start"><![CDATA[
return md5(sha1(gethostbyaddr($_SERVER['REMOTE_ADDR'])));
]]></hook>
</hooks>
</extension>
50 2009-03-15 09:27
Re: md5 (?) encoded ip addresses (32 replies, posted in PunBB 1.3 discussion)
2) And what about using sha1 at first, and then encrypt it with md5? For example md5(sha1($_SERVER['REMOTE_ADDR']))?
That wouldn't solve anything. The reason why hashes are considered "safe" for private data is that there are usually way to many possible inputs to try them all - stored hash of a password is difficult to break because there are so many possible passwords. With IPv4 addresses there are only 2**32 addresses at most, quite a few of whose can't appear. If I wanted to discover real IP address from the hash, I could simply start with 0.0.0.0, do a MD5 (or SHA1, or SHA1(MD5)), or whatever) and compare the hashes; if not found, increase the address and try again. In worst case, I would need 2**32 hash operations; the slowest benchmarks I found cite something around 100000 checks per second on modern hardware - I would need 12 hours to find the IP address.