[MODDB] Approval MOD v2.0

A place for MOD Authors to post and receive feedback on MODs still in development. No MODs within this forum should be used within a live environment! No new topics are allowed in this forum.
Forum rules
READ: phpBB.com Board-Wide Rules and Regulations

IMPORTANT: MOD Development Forum rules

On February 1, 2009 this forum will be set to read only as part of retiring of phpBB2.
chrisjlocke
Registered User
Posts: 532
Joined: Fri Sep 24, 2004 3:45 pm
Location: Essex, UK
Contact:

Post by chrisjlocke »

Bump. :(
Will Santa be popping down my chimney with this MOD?
User avatar
uncle.f
Registered User
Posts: 253
Joined: Thu Mar 25, 2004 11:42 am
Location: Purple Yonder
Contact:

Post by uncle.f »

chrisjlocke wrote: Bump. :(
Will Santa be popping down my chimney with this MOD?


Likely, but no promises :-)
sobriety
Registered User
Posts: 31
Joined: Sat Dec 16, 2006 2:12 am
Contact:

I am very much looking forward to this...

Post by sobriety »

If you pull this off you will be among the giants...

I run a small time board, like I think a lot of people on here do, no moderators just me. Because of the nature of my board (alcoholism and addiction), I decided to allow guest posting. I would rather check 3 times a day and approve a post then be worried that someone posted something inappropriate.

I envision adding your mod ASAP. Trusted members can post at will, guests and first post members need to be approved.

I have been battling spam by banning the ip ranges of most of asia and europe. Now it is starting in the USA. I do it every day.

I just wanted to say Thank You!
User avatar
uncle.f
Registered User
Posts: 253
Joined: Thu Mar 25, 2004 11:42 am
Location: Purple Yonder
Contact:

Re: I am very much looking forward to this...

Post by uncle.f »

sobriety wrote: I just wanted to say Thank You!


Please, let me finish first. Thank later :-)
Plus, the first published version will be definitely beta, which you should not put on the live forum until it is of production quality.
sobriety
Registered User
Posts: 31
Joined: Sat Dec 16, 2006 2:12 am
Contact:

Post by sobriety »

Please, let me finish first. Thank later
Plus, the first published version will be definitely beta, which you should not put on the live forum until it is of production quality.


understood.. godspeed.. wish I could help.

will glady send a donation via paypal

are there nominations for best mods of the year? :)
angelp1ay
Registered User
Posts: 175
Joined: Tue Dec 23, 2003 1:32 pm
Location: Bristol, UK
Contact:

Re: [DEV] Approval Groups MOD for phpBB 2.0.21

Post by angelp1ay »

I imagine I will use this to prevent spam posts being displayed. I'll be wanting new users to have their posts approved until I decide they are real users and they are tagged as allowed to post. I believe there are 2 ways to do this:

- forum default to must be approved, add real users to a usergroup that is set to doesn't need approval

- forum default to doesn't need approval, new users automatically added to a usergroup that is set to must be approved

Ideally I want the real users to feel the least impact possible - will this mod make much difference to load times? I guess it adds SQL queries to the posting page and the viewing post pages? And which of the above approaches would be better for the real users - shift the emphasis onto checking new users and leaving real users relatively unaffected? (if there is a difference at all?)

I get the impression I'm making a fuss about nothing but better to ask someone who knows what they're doing!

PS. Great mod - can't wait :D
User avatar
uncle.f
Registered User
Posts: 253
Joined: Thu Mar 25, 2004 11:42 am
Location: Purple Yonder
Contact:

Re: [DEV] Approval Groups MOD for phpBB 2.0.21

Post by uncle.f »

angelp1ay wrote: I believe there are 2 ways to do this


Absolutely correct.
will this mod make much difference to load times? I guess it adds SQL queries to the posting page and the viewing post pages?


Actually, this is what makes this MOD different from all other 'Approve' kind of mods. I am trying to make sure that the intrusion is minimal, especially when it comes to SQL. If the post does not require approval, there won't be any additional SQL queries executed. So far, the only additional SQL I have is for notifying the moderators about the post that needs approval. Browsing the forums is unaffected at all.
which of the above approaches would be better for the real users - shift the emphasis onto checking new users and leaving real users relatively unaffected? (if there is a difference at all?)


There is no difference at all from the MOD's point of view. :wink:
Last edited by uncle.f on Wed Jan 03, 2007 4:28 pm, edited 1 time in total.
angelp1ay
Registered User
Posts: 175
Joined: Tue Dec 23, 2003 1:32 pm
Location: Bristol, UK
Contact:

Re: [DEV] Approval Groups MOD for phpBB 2.0.21

Post by angelp1ay »

uncle.f wrote: Actually, this is what makes this MOD different from all other 'Approve' kind of mods. I am trying to make sure that the intrusion is minimal, especially when it comes to SQL. If the post does not require approval, there won't be any additional SQL queries executed.

Brilliant! and thanks for the quick reply.

Is this because you tack on the requests for the information on whether posts are awaiting approval to other SQL queries already in the code?

Sorry, I'll stop getting in your way now and give you a chance to code instead!
User avatar
uncle.f
Registered User
Posts: 253
Joined: Thu Mar 25, 2004 11:42 am
Location: Purple Yonder
Contact:

Re: [DEV] Approval Groups MOD for phpBB 2.0.21

Post by uncle.f »

angelp1ay wrote: Is this because you tack on the requests for the information on whether posts are awaiting approval to other SQL queries already in the code?


Precisely!
birdboy
Registered User
Posts: 7
Joined: Wed Sep 03, 2003 6:46 pm
Location: Erie, PA
Contact:

Post by birdboy »

This sounds fantastic for our board in terms of helping our spam problem. For months now we have been fighting spam from new users who appear to be created via SQL injections. I am not blaming phpBB as it could be one of the several mods we have, who even knows. It could be one of the changes I have made. I believe this because the standard banning features are simply not working (banned email addresses are getting accounts!!!! :x ).

That said, I am cautious to permit users to post without approval based on user profile data.

The reason I am posting is to suggest that this mod will allow for custom variable name incase the posts are also based on injections. I understand that since spam was not your original reason for making this mod that you may not implement this idea, and I will understand if you don't.

Could I just replace all instances of the 'approval_var_name' (whatever that is) with my own 'custom_var_name' ("potatochips" for example) in the mod text file, then install it? Is it that simple? Would that work? This would only help if this mod became popular enough to cause spammers to add 'custom_var_name' = 'approved' to their injection queries.

If that would work, then no modifications to your mod would be needed, you could let people know about that technique.

Thank you for your time on this helpful mod! I'm excited for its release.
pkramer
purplemartin.org
User avatar
uncle.f
Registered User
Posts: 253
Joined: Thu Mar 25, 2004 11:42 am
Location: Purple Yonder
Contact:

Post by uncle.f »

birdboy wrote: For months now we have been fighting spam from new users who appear to be created via SQL injections.


8O 8O 8O That is something I never heard of. Posts appearing via SQL injections?? Which version of phpBB are you running?
Could I just replace all instances of the 'approval_var_name' (whatever that is) with my own 'custom_var_name' ("potatochips" for example) in the mod text file, then install it? Is it that simple? Would that work? This would only help if this mod became popular enough to cause spammers to add 'custom_var_name' = 'approved' to their injection queries.


It does not work quite as simple as that I am afraid. If what you saying about SQL injections is true, then no PHP script variables changes will prevent SQL injections. If you want to change SQL table field name (I guess that is what you really meant with your question) it still would not completeley prevent SQL injections.

Consider this. If the structure of SQL table is known then these two statement are identical in their result:

Code: Select all

INSERT INTO table_name (field_name1, field_name2, field_name3) VALUES ('value1', 'value2', 'value3');

INSERT INTO table_name VALUES ('value1', 'value2', 'value3');
As you can see you don't have to know the field names to insert data. So if SQL injections are really your problem (and I never heard of that with the latest phpBB) then there is very little you can do by changing names. What you should really do is to patch the code that allows for injections.
birdboy
Registered User
Posts: 7
Joined: Wed Sep 03, 2003 6:46 pm
Location: Erie, PA
Contact:

Post by birdboy »

Ok, well that makes me feel better, sort of. I just figured that if users could be created via injection that posts could too. Good to know. You clearly know this but I am still learning much about PHP and MySQL (self-taught over the last 3 years).

BTW: we are running 2.0.21.

Sorry, I was just speculating based on almost no knowledge of your mod. I thank you for you time. All this spam has us almost frantic.

Well, at any rate, we look forward to catching spam before it goes public. Hopefully, it will get most of it.
pkramer
purplemartin.org
angelp1ay
Registered User
Posts: 175
Joined: Tue Dec 23, 2003 1:32 pm
Location: Bristol, UK
Contact:

Post by angelp1ay »

birdboy wrote: I just figured that if users could be created via injection that posts could too.

I think they can. You don't really want the possibility of SQL injections at all!

I imagine the reality is that rather than having a security hole, you probably just have an error in the code due to a change you have made which means the code is bypassing the banned emails and allowing these users to sign up using the same form as everyone else. At least I would be hopeful this is the case.

If you have few mods then it might be worth downloading a fresh copy of phpBB and starting from scratch to ensure your safety.
BillyJ
Registered User
Posts: 4
Joined: Sun Dec 24, 2006 5:15 pm
Location: Scottsdale, AZ and the beaches of Maine

Post by BillyJ »

I'm a little late to the party, I know, but this mod will be great!

One question: The APPROVE process is apparently aimed at approving posts, not the people who posted them. It would be useful (for me, at least) if the APPROVE process could be used to APPROVE THE MEMBER, not just the post. Once the member is approved, he would be allowed normal access in the future.

Reason? I started down this path looking for a spam-fighting tool. On the board I moderate, all new registrants belong to a group called Trial Members. Typically the first post of a spammer Trial Member is, in fact, the spam message. My thought is that if every new registrant's first post went into a moderation queue, then I would get to review it before it hits the big time. By doing so, I can evaluate the new registrant's motives. If I like what I see, what I really want to do is approve the member for future posting - not just his first post. If I don't like what I see, I ban him immediately.

Does your mod allow me, in some way, to approve the poster rather than (or in addition to) his post?

Thanks

Bill
angelp1ay
Registered User
Posts: 175
Joined: Tue Dec 23, 2003 1:32 pm
Location: Bristol, UK
Contact:

Post by angelp1ay »

BillyJ wrote: Does your mod allow me, in some way, to approve the poster rather than (or in addition to) his post?

Yes, this mod allows you to classify which usergroups have their posts go into the approval queue and which have their posts allowed automatically.
Locked

Return to “[2.0.x] MODs in Development”