76

(9 replies, posted in PunBB 1.2 discussion)

Almost everything is doable. THe only problem I see is with the login, but what you require is easy.

Main site point to the forum (and please take a look at extern.php which has functions that you can use to already provide some content), and I'd suggest also a login page (if you don't already have a membership system, in which case you'd have to make them both compatible, which is also doable but requires extra work).

Sub-pages/sites point to each section with a link very much like:
http://www.yourdomain.com/punBB/viewforum.php?id=6
where the last number is the id of the forum, check on the DB or do some trial & error

If the user has already logged in, he'll have the appropiate rights, otherwise, he'll have guest rights, however you've defined them.

77

(16 replies, posted in General discussion)

Now, if anyone happens to have a spare Rolls that's not in use anymore...  wink

When do you island guys go to sleep? I thought you were only 1 hour away!

Start without the card on.
BTW, have you tried the card on another system? Nothing prevents the card from being defective as well. Not my first option, but an option nevertheless.

Anyway, I'd to this: start without the card and AFTER the system is up & running, plug the card in. You can damage nothing doing that with a PCMCIA card, cause they were designed to work that way.

Marc

Well, I guess that settles it: Firefox doesn't "degrade gracefully", and opera does but doesn't support the standard modification.

So it's still a very MSIE-only like thing sad
Well, it'll have to do wink

Tak!

Marc

80

(300 replies, posted in PunBB 1.2 discussion)

Ahhhh could someone enlighten me about the open_basedir restrictions topic? Some of us have never even been to Sweden! wink
And that seems like some problem I might have to care about.

81

(17 replies, posted in Feature requests)

<lol> yeah, what I meant is exactly that. It's called flags. With one byte you can have up to 8 independent boolean values. 0,1,2,3 means the first two values, if we add another possibility, we jump to 8, etc...

That's the reason why I always wonder why mysql developers use bytes as the unit for integers, instead of bits. I guess a one for all is much easier to implement, otherwise it'd be just too much work just to avoid me being confused wink

Well, anyway it was just an idea, in order to leave you with one less excuse wink

82

(17 replies, posted in Feature requests)

... make that accept 0,1,2,3,4,5,6... we've still got one full byte to fill, c'mon!

I must say, though, that what CodeDuck says makes sense: either you want to see imaged smilies or not, but why would you want others not to see yours, and still have to take other people's?

BTW, *I* like image smilies smile

Dunno what that nuke block is, but check out external.php, if you want something like what's on the main page.

There's a mod that does what you want. It actually does more, but you can easily strip it down, if you want.
Go here to check it out.

Marc

85

(17 replies, posted in Feature requests)

Why not allow a 0,1,2 or 3 on the existing field? You'd keep compatibility with all existing installs.

You receive two cookies on the first load of the page. Since The server cannot read if the cookies were accepted until the page is reloaded, that's why there's a reload button. If you reload, then on the lines below, a description of both cookies should appear:
NoHTTPOnly=Visible
HTTPOnly=Invisible_for_MSIE

Then, pressing any of the other buttons, you should see either that the invisible label becomes visible with info similar to that one provided by opera, or that it appears on a popup. I don't have *any* experience with firefox, so I can't tell, although I've DLed it, I'm not that eager to install more soft on this machine, so I'll probably start up the linux box and test it there.

The thing is, if you're using MSIE6.01 or superior, the cookies that include HttpOnly cannot be read from a script within the page, thus making them in theory invulnerable to xss cookie hijacking. I say in theory, cause you could create a java applet that accessed directly the page and stole the whole http headers, but then the site must already be xss vulnerable, as usual. Somebody mentioned a combination of flash, java and a script could in theory allow you to steal the cookie, so this new behavior of the navigator is not a panacea, but it's a first step, which makes it much harder to properly abuse an xss vulnerability. But not impossible. Navigators that don't support the httponly tag, should degrade gracefully and have no further problems (but no special immunity also) whatsoever.

Fiu, whether it works or not, you can't say I didn't write about it wink

Marc

87

(6 replies, posted in Feature requests)

Oh, he's got something like experts exchange... I'd say that this is another counter, I'd set it sepparated, then you can compare the ratio of correct/bad answers wink

Well, anyway, the easy part is stopping the counter, and increasing the counter doesn't mean that much work, you should place a form that appears on each message, with the poster id and a submit button, only available to moderators.

However, to be coherent, that same button should have to add a message to the thread and close it. And count the people who ASK a question,if you want to give credits for that (+for answers, -for questions). That's the part I would be lazy about coding sad

Marc

Hmmm I'd say you need to restart the system and after it's started plug in the card.
Well, anyway, I'd start by uninstalling the existing drivers and DLing new drivers from the INet (here, start the install from scratch.

If you already did that... well, I really don't know what to say. W98 can be generally manually troubleshooted, but I wouldn't dare trying that thorugh a bbs... not even by phone sad

Good luck!
Marc

Whaddayamean Nothing?
Doesn't it support javascript? The code's nothing fancy, mind you...
Well, I can strip it into two parts, let's see...
try again, if you please :-)

Be warned that this trick *can* be bypassed, but it requires elaborate code using at least two different technologies. But, it's still something to look at, I expect future developments on the matter, if other browsers start implementing this correctly smile

Jejeje, that was my very first guess wink

Am I gooooooood!! wink

Yeow, sure, took a while to set it up in a way that you could see the difference... smile

Cookie tester

And now don't come down on me cause that server supports asp only.

My JS response is:
Navigator: Microsoft Internet Explorer
Version: 4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)
Minor version: ;SP1;Q810847;Q813951;Q813489;Q330994;Q818529;...;
Cookies:
NoHTTPOnly=Visible; ASPSESSIONIDGGGGGGGG=Whatever...

If you can see the httponly cookies, you'll get something like:
NoHTTPOnly=Visible; HTTPOnly=Invisible_for_MSIE; ASPSESSIONIDGGGGGGGG=Whatever...

Marc
PS: I added some extra info on the JS. If your MSIE is not 6.01+, it should display both cookies + the session id.
PPS: Thanks for testing this one smile

Can you move his computer? To your physical location (that is, network). His ISP might as well be supplying him with a 'transparent' proxy. I've seen that happen in Spain.

Or, if you're lazy, I'd modify line 37 of admin_options.php

    // Lazy referer check (in case base_url isn't correct)
    if (!preg_match('#/admin_options\.php#i', $_SERVER['HTTP_REFERER']))
                        die('Your Referer:'.$_SERVER['HTTP_REFERER']);
        //message($lang_common['Bad referer'].' <a href="mailto:'.$pun_config['o_admin_email'].'">'.$pun_config['o_admin_email'].'</a>.');

And ask him to try again. Then see what message is he having and from then on, investigate. Don't forget to recover the original file afterwards... smile

Good hunting!

Marc

93

(7 replies, posted in Feature requests)

OMG, there they are: the little ones!!!!! smile I like those fotos. Nice layout.

Of course, you can edit things out to suit your needs, say like:
echo $lang_extern[$num_users.' users online'].' ('.$user_name_list.')<br>';

You see what I mean, just work it out. Now it's ugly wink

Marc
PS: glad to help-

94

(14 replies, posted in Feature requests)

Well, I must agree with the people here. The most atttractive thing of punBB is its lightweight. It provides all you really need to host a forum, and most of the things you'd like to have you can easily implement.

I use it as an extra value to my site, where my customers can discuss about bugs and request features or simply express their opinion, and it was peanuts to integrate it. Besides, I've learnt a lot of good programming techniques browsing through most of the code. If I want phpBB or IV or whatever, I can go and get them. The minute you start competing with the others, you're running a competitive race, that you're likely going to lose unless you've got a really good supporting team.

So, due to its flavour, punBB is the best choice for me. If it changes completely, it won't be. Don't misunderstand me, flashy boards are nice to see, but they serve a different purpose. If I wanted to attract people, I wouldn't be using punBB (no disrespect meant) just as it is, but I'd be adding lots of mods, or simply get another package that is easier to install and has them allready.

Maintaining this board simple and at the same time updating the mods is much more work than integrating them and forgetting about them, but with a little work from the user (and don't forget we're talking free products here) you can customize it as well.

Oh, well, that's so much for ranting, each position has its advantages, so I guess we'll all be of different opinions... which is much better than the opposite smile

Marc

95

(7 replies, posted in Feature requests)

If you want to experiment... I already did something like that:

That's a modded extern.php around line 262

else if ($_GET['action'] == 'online')
{
    // Fetch users online info and generate strings for output
    $num_guests = $num_users = 0;
    $result = $db->query('SELECT user_id, ident FROM '.$db->prefix.'online ORDER BY ident') or error('Unable to fetch online users info', __FILE__, __LINE__, $db->error());
    
    $user_name_list=" ";

    while (list($cur_online_id,$user_name_name) = $db->fetch_row($result))
    {
        if ($cur_online_id > 0)
        {
            ++$num_users;
            $user_name_list.=$user_name_name;
        }
        else
        {
            ++$num_guests;
        }
    }

    echo $lang_extern['Users online'].': '.$num_users.':'.$user_name_list.'<br>';
    echo $lang_extern['Guests online'].': '.$num_guests;

    exit;
}

Dunno, just something quick and dirty that seems to work for me. But my forum is not open yet, so... you'd rather wait for Rickard to confirm, since I am not sure I used the right DB field.

Marc

Just a couple of ideas to look at, since I believe from your post that your config is correct.

Is he using some firewall or some third party software that might be framing the contents?
Is he trying to access through some proxy that translates to the ip address?
Is he trying to access through https instead of http (or the inverse)?
Is he using a mac? (J/K)

Well, cookies can be read through javascript (try alert(document.cookie); if you want to see it at work), that's one of the ways cookie hijacking happens, if you can insert some script into a website and have the cookie transferred to somewhere else. MS decided that adding another value after the 'secure' that specified that this cookie can only be read through http communications, they would help mitigate xss vulnerability. Which is true, only that they implemented it AFAIK alone, outside the NS cookie specification.

Since I'm not that fan of using several browsers, and my natural market are fully MS oriented, I've been using it for long (in fact, I modified punBB's cookie to send it that as well wink ), but I couldn't help noticing that some people here use non-standard browsers (namely, at least firefox), so...

I could write a simple page that tested it, but I am a lazy person, if somebody knows, it's easier asking smile

Marc

Just wondering, if you have an idea of that parameter being implemented on other navigators, since it doesn't belong to the original specification, it wasn't beofre. But times change, and it's a nice way to help protect cookies from xss smile

Marc

99

(7 replies, posted in General discussion)

Hmmm and how's that with cookies, are they accepted by phones nowadays?

That's aggessive sales. But if it worked...