Safe Mods

Discussion forum for MOD Writers regarding MOD Development.
Thoul
Registered User
Posts: 810
Joined: Sun Jun 23, 2002 1:25 am
Location: USA
Contact:

Re: Safe Mods

Post by Thoul »

michaelo wrote:"Also if the MOD causes a parse error"... you fix it! Why would you install a mod with errors in the first place...
The mod may not have errors. Sometimes, the act of installing a mod can cause errors, either by a mistake on the part of the installer or a conflict with an existing mod.

In the past five years of writing and supporting mods, I have learned an important thing about mod users: most users are not programmers. There are exceptions, like those of us in this thread, but the general end user is someone that doesn't know the difference between if() and array(). If anything goes wrong with an install, these people have no idea of how to fix it.

If two mods are installed in the same area, they would not know how to add or modify a conditional, on their own, to create a situation like if(MODX && MODY). They would need specific instructions giving them the code to add in that case. That shifts the burden to the mod authors. Authors cannot be expected to test their mod against every other mod written (there are already over 120 in development on this site alone!) and include alternative install instructions for every situation where a conflict may arise. If that was required, no mods would ever be released.

IMO, the best approach when coding a mod is to make things as simple as possible for the mod user. I'm all for minimal changes to core code and adding on/off options for major mods that are largely standalone files. I try to do that myself in my own mods. But, if it overcomplicates the install for the end users, it is not useful.
User avatar
michaelo
Registered User
Posts: 1292
Joined: Thu Jun 13, 2002 3:49 am
Location: Dublin, Ireland
Name: Michael O'Toole
Contact:

Re: Safe Mods

Post by michaelo »

I said you can disable it if there is a possible security issue, however you could also disable it in order to test for a particular error... or as the cops say... eliminate it from their enquires :) I did not say it was a perfect solution, I simply suggested it as an option...

My portal (in mods database) was built employing these rules and guidelines, it performs perfectly... several Safe mods were tested and again no problems... Mike
Contributions: Mods & Styles Extensions
(site is down): Kiss Portal Engine
User avatar
christhatsme
Registered User
Posts: 1811
Joined: Sun Jan 16, 2005 10:42 am
Location: London, UK

Re: Safe Mods

Post by christhatsme »

the issues occur when every MOD is like this.

Any MOD in the phpBB database is safe, there is absolutly no need for this
All MOD downloads should be back now - Sorry for that and serious lack of support! - If anyone wants to take over or help with any of my MODs the offer would be apreciated as I have little time for phpBB Modding recently!

Again very sorry for not supporting these MODs recently.
User avatar
Ladysarajane
Registered User
Posts: 441
Joined: Sat Feb 18, 2006 10:05 pm

Re: Safe Mods

Post by Ladysarajane »

I cannot write mods...but I can follow instructions to install them.
I have seen Michaelo's portal and he has the "safe mod" installed in it. I loved it. I don't know what the fuss is about taking a couple extra steps in writing a mod so the user can choose whether or not to activate the mod or deactivate it if it is malfunctioning.
It saved me in testing his portal when I changed the style and couldn't reach it anymore. All I had to do was to switch it from 'true' to 'false' and the portal was disabled and the forum could continue as normal.
I believe a "Safe Mod" is one you can disable or enable and the functioning of the board is preserved. I don't know how many times I had to reinstall files to my board because a mod that had been thoroughly tested, still did not work on my forum. During that time, my forum had to be disabled while I either got a hold of the author to figure out the problem, or at the moment upload the whole backup..eating up bandwidth until I solved it.
I am for the "Safe Mod" ideal. I think if all mods could be "turned off or on" it would help newbies and experienced people alike.
When all else fails, read the instructions
Yautja_cetanu
Registered User
Posts: 72
Joined: Wed Nov 24, 2004 3:23 pm

Re: Safe Mods

Post by Yautja_cetanu »

Yeah I've quite liked this and will probably make all our mods "safe". Because this seems to help the patching of phpbb? It means when you install a phpbb patch, all the core code is still there and untouched. So it will update everything. It will then be the job of the mod author to make sure each mod is up-to-date with the latest version of phpbb (Including a Versioning system would be great) but at least the update files would work.

When I didn't really understand programming, I hated try to work out what had been changed and why things didn't work.
ToonArmy
Former Team Member
Posts: 4608
Joined: Sat Mar 06, 2004 5:29 pm
Location: Worcestershire, UK
Name: Chris Smith
Contact:

Re: Safe Mods

Post by ToonArmy »

Not quite correct, take this as an example:

Code: Select all

if (ENABLE_MY_MOD)
{
     $template->assign_var('SOMETHING_USELESS', 'Hello, ' . $_GET['name']);
}
else
{
     // Original phpBB Code
     $template->assign_var('SOMETHING_USELESS', 'Welcome back ' . $_GET['name']);
}
I know the phpBB guys would not do this, but its a really easy example of an XSS vulnerability that could possibly appear. Now say somebody starts exploiting it, the phpBB guys release a patch. You patch thinking brilliant I am safe, would you disable all your modifications until the mod author has confirmed them safe. I know some people might spot that the problem is somewhere else as well, but these people are not the ones that need safe mods really ;)
Chris SmithGitHub
User avatar
michaelo
Registered User
Posts: 1292
Joined: Thu Jun 13, 2002 3:49 am
Location: Dublin, Ireland
Name: Michael O'Toole
Contact:

Re: Safe Mods

Post by michaelo »

Safe Mods will only use phpBB3 accredited modifications... at least I would hope so...

So we don't get confused, by Safe I mean safe to add so that the core is not corrupted or defaced as well as safe in relation to security... and not just security safe...

In the above example $_GET['any variable'] would never be used... all vars would use phpBB's request_var('any variable', '');.... This does not point to a flaw in the proposal, as all mods with or without being Safe are liable to have such errors... In addition when $template->assign_var is used the default code is always processed... Additional conditional assignment is carried out after core code assignment... in effect overwriting variable values with mod values...

This would never happen...

Code: Select all

 
// Original phpBB Code [b]NOT![/b]
$template->assign_var('SOMETHING_USELESS', 'Welcome back ' . $_GET['name']);
A real example...

Code: Select all

 
$name = request_var('name', '');
// Original phpBB Code
$template->assign_var('SOMETHING_USELESS', 'Welcome back ' . $name);
Mod addition, note the preceding code would be left intact....

Code: Select all

if (ENABLE_MY_MOD)
{
     $name = $my_mod_value;
     $template->assign_var('SOMETHING_USELESS', 'Hello, ' . $name);
}
Mike
Contributions: Mods & Styles Extensions
(site is down): Kiss Portal Engine
ToonArmy
Former Team Member
Posts: 4608
Joined: Sat Mar 06, 2004 5:29 pm
Location: Worcestershire, UK
Name: Chris Smith
Contact:

Re: Safe Mods

Post by ToonArmy »

*sigh* I was giving the bad use of $_GET as a quick and obvious example of a flaw, and in not all circumstances the original code could be kept some would have to go inside a conditional. I dislike this proposal for many reasons but I suspect one of the reasons you are proposing it is to make it simpler to develop phpBB portals, and other phpBB derived bloatware products.
Chris SmithGitHub
User avatar
Ladysarajane
Registered User
Posts: 441
Joined: Sat Feb 18, 2006 10:05 pm

Re: Safe Mods

Post by Ladysarajane »

"bloatware" products?

If you don't want the mod, then don't download it. Bloatware only occurs with a extra product that you get when you download the main program. Such mods that are automatically installed in a forum such as phpnuke. So I cannot see where are you getting the ideal that this will cause and/or is "bloatware"
Yes the mods will remain if you disable the mod...but if you didn't want the mod, you wouldn't have installed it in the first place.
The portal is a perfect example of a mod where "Safe Mod" ability would work well.
If something happens to the portal in everyday use...such as a style that doesn't agree, then disabling the portal via the "Safe Mod" way would be extremely easy and restore the function of the phpBB3 board in a jiffy and give you time to figure out how to fix the portal and or give the unfamiliar person time to get help in fixing it. The forum would remain intact and not dependant on a mods functioning to work.

I cannot really fathom why you are objecting to the ideal. The bloatware analogy is a bad example for the safe mod. If you don't want the mod or if you didn't like the way it works...then it is easily "turned off", but if you didn't want it in the first place, then why would you install it?
When all else fails, read the instructions
User avatar
drathbun
Former Team Member
Posts: 12204
Joined: Thu Jun 06, 2002 3:51 pm
Location: TOPICS_TABLE
Contact:

Re: Safe Mods

Post by drathbun »

As a MOD author I just don't see how this can work, at least not in all cases. What if you need to alter the SQL? You can't just "turn off" columns that are added to the SQL code, not without a lot of extra work. Extra work that is pointless, in my opinion.

Some MODs are easily activated / deactivated. I have written plenty of MODs that can be turned on / off via the admin panel, but these are MODs that seem to add to the standard functionality rather than alter it. Consider the Categories Hierarchy "MOD" (and I use the term loosely ;-)), there is no way it could be written with this style of coding.

The ability to turn a MOD on or off doesn't fix a parse error... even if the code isn't executed (because of an "if" statement) it's still parsed.

Should MOD authors make their code as unobtrusive as possible? Yeah, I guess, when you can. Sometimes you just can't.
I blog about phpBB: phpBBDoctor blog
Still using phpbb2? So am I! Click below for details
Image
User avatar
michaelo
Registered User
Posts: 1292
Joined: Thu Jun 13, 2002 3:49 am
Location: Dublin, Ireland
Name: Michael O'Toole
Contact:

Re: Safe Mods

Post by michaelo »

Consider the Categories Hierarchy "MOD" (and I use the term loosely ;-))
While the mod provided the much needed categories option to many boards it rendered the phpBB2 code virtually impossible to follow... adding a simple security update, or even a mod update, became at best, a chore, more often a nightmare... Even without CH a heavily modified board resulted in headaches for the support team... :(
What if you need to alter the SQL?
Use your own sql query and don't alter the core...
You can't just "turn off" columns that are added to the SQL code
There is no need, nor should there be... Any mod that alters core database structures is not going to pass the phpBB mod team inspection... therefore it will not be necessary... it would not be permitted...
The ability to turn a MOD on or off doesn't fix a parse error... even if the code isn't executed (because of an "if" statement) it's still parsed.
We agree on this point but as I have said before, you would never install a mod with a parse error so why would you make this point... The aim of the proposal is to insure the phpBB3 core can be followed, even if mod after mod is installed, not to disable poorly written code as an after thought.

Other possible reasons for disabling mods:
To investigate potential security issues…
Allow for updates (core or mod)…
Disabling one or more mods to reduce bandwidth or server stress…

I'm not suggesting the proposed additions will solve every problem all I suggest they work and at the end of the day you can still install mods without messing up core code...

In conclusion, consider this... If a heavily modded phpBB2 board was installed using Safe Mods (or some form of it) and included the ability to turn mods off... converting from phpBB2 to phpBB3 would be a breeze....

The basic rules...
1) Don't remove code...
2) Don't remove database entries and
3) Add conditional processing...
Add After and Add Before are safe...Replace With and Replace Into are not safe (but could be if the replacement codes integrity is maintained)...
Contributions: Mods & Styles Extensions
(site is down): Kiss Portal Engine
User avatar
david63
Registered User
Posts: 17798
Joined: Thu Dec 19, 2002 8:08 am
Location: Lancashire, UK
Contact:

Re: Safe Mods

Post by david63 »

michaelo wrote:If a heavily modded phpBB2 board was installed using Safe Mods (or some form of it) and included the ability to turn mods off... converting from phpBB2 to phpBB3 would be a breeze....
How do you arrive at that conclusion? The conversion fron phpbb2 to phpbb3 is only converting the database so any changes to the code are totally irrelevant. Also there are instances of very heavily modded phpbb2 boards being converted without any problems - I have done one with over 100 mods.
michaelo wrote:Any mod that alters core database structures is not going to pass the phpBB mod team inspection.
Since when? There are many "official" mods for phpbb2 that change the database structure and I suspect that there will be many for phpbb3 that will do the same. I cannot see any requirement that a mod does not alter the database structure see http://www.phpbb.com/mods/documentation ... /index.php for phpBB3.0 Modifications Database Requirements.
David
Remember: You only know what you know and - you don't know what you don't know!
My CDB Contributions | How to install an extension
I will not be accepting translations for any of my extensions in Github - please post any translations in the appropriate topic.
No support requests via PM or email as they will be ignored
User avatar
drathbun
Former Team Member
Posts: 12204
Joined: Thu Jun 06, 2002 3:51 pm
Location: TOPICS_TABLE
Contact:

Re: Safe Mods

Post by drathbun »

michaelo wrote:
What if you need to alter the SQL?
Use your own sql query and don't alter the core...
There is no reason to not alter an existing query, especially if your new query would simply be adding one additional field to the select / insert / update. You would be asking each MOD author to write a separate SQL query for every set of fields they add for each MOD? Think of how many potentially redundant queries that would add.
michaelo wrote:
You can't just "turn off" columns that are added to the SQL code
There is no need, nor should there be... Any mod that alters core database structures is not going to pass the phpBB mod team inspection... therefore it will not be necessary... it would not be permitted...
No, this is just wrong. :-) You are most certainly allowed to change the core database structure, either by adding tables, altering existing tables, or even dropping existing tables. There is no rule against that.
The ability to turn a MOD on or off doesn't fix a parse error... even if the code isn't executed (because of an "if" statement) it's still parsed.
We agree on this point but as I have said before, you would never install a mod with a parse error so why would you make this point... The aim of the proposal is to insure the phpBB3 core can be followed, even if mod after mod is installed, not to disable poorly written code as an after thought.
Things can go wrong during an install, especially during a manual effort. The MOD may work perfectly in isolation. But let it loose "in the wild" so to speak and there is no guarantee it will install correctly. Even with EasyMOD.
I blog about phpBB: phpBBDoctor blog
Still using phpbb2? So am I! Click below for details
Image
User avatar
michaelo
Registered User
Posts: 1292
Joined: Thu Jun 13, 2002 3:49 am
Location: Dublin, Ireland
Name: Michael O'Toole
Contact:

Re: Safe Mods

Post by michaelo »

I made a bad attempt at explaining this... I have no problem with adding data or editing queries to fetch additional data, the problem is with the methods use...

The aim is to make all mods as self contained as possible... This is especially true for the larger mods... We both know it would be ridiculous to expect smaller mods to add queries all over the place.

If we did not provide the disable mod option we would not have a problem here, i.e. obtaining additional data would work regardless... But the disable mod option is so useful, dropping it would be a step backwards. So a method is needed to alter queries when a mod is disabled... bit of a challenge here as we don't want hundreds of if(!MOD) do this... all over the place...
No, this is just wrong. :-) You are most certainly allowed to change the core database structure, either by adding tables, altering existing tables, or even dropping existing tables. There is no rule against that.
I don't believe this was ever intended, you can add what you like but deleting or altering the core database structure is frowned on... it goes against all the advice I have received or advice given to others... For example if you drop a phpBB core table or delete a core table entries you don't have a real phpBB based system any more... in fact you wont get support if you mention you altered the core database structure....

The last point re parse errors is quite valid and a good deal clearer now... over the last five years I have install the majority of the mods out there and I have made my share of mistakes... but I suggest most if not all were down to trying to find exact phrases in the core that had been previously edited by other mod installs... exactly what I am endeavouring to eliminate...
Mike
Contributions: Mods & Styles Extensions
(site is down): Kiss Portal Engine
User avatar
drathbun
Former Team Member
Posts: 12204
Joined: Thu Jun 06, 2002 3:51 pm
Location: TOPICS_TABLE
Contact:

Re: Safe Mods

Post by drathbun »

michaelo wrote:
No, this is just wrong. :-) You are most certainly allowed to change the core database structure, either by adding tables, altering existing tables, or even dropping existing tables. There is no rule against that.
I don't believe this was ever intended, you can add what you like but deleting or altering the core database structure is frowned on... it goes against all the advice I have received or advice given to others... For example if you drop a phpBB core table or delete a core table entries you don't have a real phpBB based system any more... in fact you wont get support if you mention you altered the core database structure....
Deleting is an extreme example, and is not generally going to be found in a published MOD. I agree with you there. But there are plenty of MODs that alter the existing table structure, most often to add new columns. I have MODs that add columns to phpbb_users, phpbb_topics, phpbb_posts, phpbb_forums, phpbb_categories... and probably more. Those are just the ones that I can come up with off the top of my head. There are also MODs that do add brand new tables.

There is not, however, as far as I know a MOD Team policy that says you cannot alter an existing phpBB table in your MOD. And remember that support for MODs is offered by MOD authors; the support team here is under no obligation to do any MOD support whatsoever.
I blog about phpBB: phpBBDoctor blog
Still using phpbb2? So am I! Click below for details
Image
Locked

Return to “[3.0.x] MOD Writers Discussion”