phpBB3: Open Source Forum Software Evolved

Security

Security has always been phpBB's number one priority. Many measures were taken during the development of phpBB3 to ensure that it was an extremely secure product from the outset. An external security audit was carried out by a team from http://www.sektioneins.de that included Stefan Esser, a PHP security expert and former PHP developer. The security audit revealed several issues with phpBB3 that were duly repaired, but it was a huge credit to the developers that no SQL injection or remote code injection vulnerabilities were found.

phpBB3 was completely rewritten, and strict new coding guidelines were put in place for the developers. In Esser's own words, this "led to a better security architecture than phpBB2's." phpBB3 handles all request parameters ($_POST, $_GET, etc.) through a single function, request_var, which sanitises the variable. In conjunction with a new database abstraction layer, including a new sql_build_array function that automatically handles the escaping of strings -- something that used to be handled through basic str_replace calls -- it's now easy and secure to write database queries.

In phpBB2, a database query would have looked something like the following, with both the $email and $icq variables having been defined earlier from POST data:

$sql = "UPDATE " . USERS_TABLE . "  
   SET user_email = '" . str_replace("\'", "''", $email) ."',  
    user_icq = '" . str_replace("\'", "''", $icq) . "'  
    WHERE user_id = " . $userdata['user_id'];

Because of the new techniques employed in phpBB3, queries are much more structured. The new function, $db->sql_escape, replaces the older method of using str_replace to prepare strings:

$sql = 'UPDATE ' . USERS_TABLE . "  
    SET user_email = '" . $db->sql_escape($email) . "',  
    user_icq = '" . $db->sql_escape($icq) . "'  
    WHERE user_id = ' . $user->data['user_id'];

When there are a number of columns that need to be updated, the $db->sql_build_array function can be used. This function automatically escapes strings within the array. Larger queries may therefore look like this:

$sql_data = array('user_email' => request_var('email', ''),  
         'user_icq'   => request_var('icq', ''),  
     'user_yahoo' => request_var('yahoo', ''),  
     'user_msn'   => request_var('msn', ''),  
     );  
 
$sql = 'UPDATE ' . USERS_TABLE . '  
   SET ' . $db->sql_build_array('UPDATE', $sql_data) . '  
       WHERE user_id = ' . $user->data['user_id'];

The phpBB MOD Team shares the Development Team's belief that security is paramount. As with phpBB2, the MOD Team plans on continuing to validate every MOD that's submitted to the online database, ensuring that modifications adhere to the new coding guidelines as well as meeting security standards set by the team. After automated checks are made, MOD team members audit every submission line-by-line before testing the MOD to ensure that it functions correctly. The entire validation process takes time, but the result is that users have a quality assurance that's unique to phpBB.com.

The Future: phpBB v3.2

The next major release of phpBB will be v3.2, codenamed "Ascraeus." The Development Team has set a total of six milestones for the development of v3.2, the first of which will consist of general changes to phpBB. Such changes will include dropping support for PHP 4.x and MySQL 3.x/4.0.x.

The BBCode parser will also be revamped. It will be separated entirely from the posting page, allowing BBCode to be used in any text area. A community-requested feature -- the editing of existing BBCode functions -- will also be implemented, essentially meaning that there will be no differentiation between the default BBCode functions and those added by the board administrator.

The second milestone focuses on the implementation of many exciting new features. The user session functions will be revisited, while the posting page and moderator control panel will be enhanced. phpBB will make use of Ajax where appropriate for the first time, although only in some situations. Additionally, the topic and forum listings will receive increased functionality, such as non-permanent or "soft" deleting of topics and some minor tweaks to the global announcement system.

Possibly the most anticipated new feature, however, will be the highly customizable events system, which will be a fantastic addition for both board administrators and phpBB MOD authors. In talking about the events system, Meik Sievertsen said, "The event system is a trigger-based system whereby admin-definable "actions" are fired upon specific conditions. Sample pre-defined triggers could be: "posting, replying, or registering". The condition applied to this trigger might be something like "having more than x posts" and the action might be "place this user into group Y"." As you can imagine, this functionality will automate many of the processes that are currently performed by board moderators and administrators.

Beyond v3.2, there will be phpBB v3.4. With the increased use of AJAX, an expanded events system, and additional database control for board administrators all on the cards, the future is looking very bright for phpBB.

Thanks to Meik Sievertsen ("Acyd Burn") and Josh Woody ("A_Jelly_Doughnut") for providing information about phpBB development, and the phpBB MOD installer, respectively.