This mod sets a cookie on the user's machine if that user is banned by user_id and/or IP. As long as the cookie matches a banned user_id or banned IP in the database, the user is denied access to the forum so they cannot even see the forum as a guest. Even if the user changes their IP, they are still banned.
The mod works transparently: use the existing ban options in the ACP to ban a user by name or by IP, and the code will take care of setting and maintaining the cookie.
To unban someone, remove the name and/or IP from the lists, and the next time the user visits, the cookie will no longer match a database ban record, and the cookie will be deleted.
No method of banning is fail safe. I won't list the exact method of getting around this MOD but the computer-savvy user can figure it out. However, since it is a simple mod, it is still worth while installing it if you have trouble with banned people coming back and you want another level of control.
Code: Select all
##############################################################
## MOD Title: Ban_cookie
## MOD Author: Merlin Sythove < Merlin@silvercircle.org >
## MOD Description: Give banned users a cookie and check that too,
## in addition to the existing checks. Once the cookie is in place:
## if it matches the database, the user is banned, even if the user
## gets another IP or is not logged in so the user ID is unknown.
## MOD Version: 0.9
##
## Installation Level: (Easy/Intermediate/Advanced)
## Installation Time: 5 Minutes
## Files To Edit: includes/sessions.php
## Included Files: (N/A)
## License: http://opensource.org/licenses/gpl-license.php GNU General Public License v2
##############################################################
## For security purposes, please check: http://www.phpbb.com/mods/
## for the latest version of this MOD. Although MODs are checked
## before being allowed in the MODs Database there is no guarantee
## that there are no security problems within the MOD. No support
## will be given for MODs not found within the MODs Database which
## can be found at http://www.phpbb.com/mods/
##############################################################
## Author Notes:
##
##############################################################
## MOD History:
##
## 2005-1101: Version 0.9
##
##############################################################
## Before Adding This MOD To Your Forum, You Should Back Up All Files Related To This MOD
##############################################################
#
#-----[ OPEN ]------------------------------------------
#
includes/sessions.php
#
#-----[ FIND ]------------------------------------------
#
$sql = "SELECT ban_ip, ban_userid, ban_email
FROM " . BANLIST_TABLE . "
WHERE ban_ip IN ('" . $user_ip_parts[1] . $user_ip_parts[2] . $user_ip_parts[3] . $user_ip_parts[4] . "', '" . $user_ip_parts[1] . $user_ip_parts[2] . $user_ip_parts[3] . "ff', '" . $user_ip_parts[1] . $user_ip_parts[2] . "ffff', '" . $user_ip_parts[1] . "ffffff')
OR ban_userid = $user_id";
if ( $user_id != ANONYMOUS )
{
$sql .= " OR ban_email LIKE '" . str_replace("\'", "''", $userdata['user_email']) . "'
OR ban_email LIKE '" . substr(str_replace("\'", "''", $userdata['user_email']), strpos(str_replace("\'", "''", $userdata['user_email']), "@")) . "'";
}
if ( !($result = $db->sql_query($sql)) )
{
message_die(CRITICAL_ERROR, 'Could not obtain ban information', '', __LINE__, __FILE__, $sql);
}
if ( $ban_info = $db->sql_fetchrow($result) )
{
if ( $ban_info['ban_ip'] || $ban_info['ban_userid'] || $ban_info['ban_email'] )
{
message_die(CRITICAL_MESSAGE, 'You_been_banned');
}
}
#
#-----[ REPLACE WITH ]------------------------------------------
#
//START MOD Ban_cookie
//Give banned users a cookie and check that too, in addition to the existing checks.
//Once the cookie is in place: if it matches the database, the user is banned,
//even if the user gets another IP or is not logged in so the user ID is unknown.
//Get cookie ban settings.
$ban_cookie = '';
$banned_id = isset($HTTP_COOKIE_VARS[$board_config['cookie_name'].'_banned_id']) ? $HTTP_COOKIE_VARS[$board_config['cookie_name'].'_banned_id'] : '';
$banned_ip = isset($HTTP_COOKIE_VARS[$board_config['cookie_name'].'_banned_ip']) ? $HTTP_COOKIE_VARS[$board_config['cookie_name'].'_banned_ip'] : '';
//Yes, cookie ban settings were there. See if they match the database.
//If not, delete cookie.
if ($banned_ip || $banned_id)
{
$sql = "SELECT *
FROM " . BANLIST_TABLE . "
WHERE ";
$sql .= ($banned_ip) ? " ban_ip = '" . $banned_ip . "'" : '';
$sql .= ($banned_id) ? ($banned_ip ? ' OR ' : '') . ' ban_userid = ' . $banned_id : '';
if ( !($result = $db->sql_query($sql)) )
{
message_die(CRITICAL_ERROR, 'Could not obtain ban information', '', __LINE__, __FILE__, $sql);
}
if ( $ban_info = $db->sql_fetchrow($result) )
{
$ban_cookie = ( $ban_info['ban_ip'] || $ban_info['ban_userid']);
}
//There was a cookie but no match in the database, so the ban is lifted:
//delete the cookie by setting the expiry time 1 hour ago
if (! $ban_cookie)
{
if ($banned_ip) setcookie($board_config['cookie_name'].'_banned_ip',$banned_ip, time()-3600);
if ($banned_id) setcookie($board_config['cookie_name'].'_banned_id',$banned_id, time()-3600);
}
}
//Have $ban_cookie, if not empty, the user is banned via a cookie.
//If empty, then there was no cookie, or there was no LONGER a database match so the cookie was deleted
//Check if there is database ban info - this is roughly the original ban code
$ban_database = '';
$sql = "SELECT *
FROM " . BANLIST_TABLE . "
WHERE ban_ip IN ('" . $user_ip_parts[1] . $user_ip_parts[2] . $user_ip_parts[3] . $user_ip_parts[4] . "', '" . $user_ip_parts[1] . $user_ip_parts[2] . $user_ip_parts[3] . "ff', '" . $user_ip_parts[1] . $user_ip_parts[2] . "ffff', '" . $user_ip_parts[1] . "ffffff')
OR ban_userid = $user_id";
if ( $user_id != ANONYMOUS )
{
$sql .= " OR ban_email LIKE '" . str_replace("\'", "''", $userdata['user_email']) . "'
OR ban_email LIKE '" . substr(str_replace("\'", "''", $userdata['user_email']), strpos(str_replace("\'", "''", $userdata['user_email']), "@")) . "'";
}
if ( !($result = $db->sql_query($sql)) )
{
message_die(CRITICAL_ERROR, 'Could not obtain ban information', '', __LINE__, __FILE__, $sql);
}
if ( $ban_info = $db->sql_fetchrow($result) )
{
$ban_database = ( $ban_info['ban_ip'] || $ban_info['ban_userid'] || $ban_info['ban_email'] );
//Fill these variables from database if not filled from cookie yet
if (! $banned_ip) $banned_ip = $ban_info['ban_ip'];
if (! $banned_id) $banned_id = $ban_info['ban_userid'];
}
//User is banned in some way?
if ($ban_cookie || $ban_database)
{
//Set the ban_cookie, time it for 1 year. The time restarts every time the user comes here
if ($banned_ip) setcookie($board_config['cookie_name'].'_banned_ip',$banned_ip, time()+365*24*3600);
if ($banned_id) setcookie($board_config['cookie_name'].'_banned_id',$banned_id, time()+365*24*3600);
//Close the forum to this person
message_die(CRITICAL_MESSAGE, 'You_been_banned');
}
//END MOD Ban_cookie
#
#-----[ SAVE/CLOSE ALL FILES ]------------------------------------------
#
# EoM
If you test this, follow this procedure, because once it works, the cookie is on your computer and even though you are admin, you won't be able to get to the login screen anymore!!!
- Make sure you can access phpMyAdmin to access your database. (If you can't, get a friend on a different computer to play hacker.)
- Create a test user
- Ban the test user using the name and/or IP
- Log out and log in as the test user. Once you have logged in the cookie will be set and you will see that you are banned.
- Try to come back to see the index as a guest. You should not be able to even see the index page as guest. This will only work if there is no existing session for you as admin with auto-login in operation, so either wait 1 hour or remove the session record from the database.
- Once you are satisfied that it all works, try to go to your forum to log in as Admin. Realise that this will not work.
- In phpMyAdmin, open the banlist table and remove the record (probably the last record with the highest user_id) that banned you.
- Surf to the forum again to log in, verify that it works this time.
- Log in as admin
Small addition: To avoid any confusion, the existing original phpBB ban code that checks IP, user email address and/or user ID, is still present and working!! This MOD simply adds a fourth check to the existing three, so that people who change their IP won't be able to get on your forum either. And also they don't have to be logged in (or trying to) before the ban is effective - this MOD will show ban messages when a banned person simply surfs to the index page, without logging in.