delicate question...

The 2.0.x discussion forum has been locked; this will remain read-only. The 3.0.x discussion forum has been renamed phpBB Discussion.
Phil Tanny
Registered User
Posts: 40
Joined: Thu Apr 15, 2004 1:43 pm
Location: Gainesville Florida USA
Contact:

delicate question...

Post by Phil Tanny » Tue Aug 23, 2005 12:33 pm

Hello all,

I love using phpBB forums across the Net, and am considering setting up my own forum. As a user, I definitely like phpBB better than the other forum software I've encountered.

I must admit I'm concerned about phpBB security, and to a lesser degree reliability. It seems I'm always reading about hackers getting in to phpBB, and a seemingly endless stream of patches etc.

As it happens, one of my favorite boards was hacked last night, with a rude mailing sent to all members. The other is at this moment down with a database error of some kind.

So, the delicate question..

If I don't have the patience for patches and fighting hackers etc, should I go with something else? Maybe rent hosting service from a company who will be responsible for my forum?

It's fantastic that phpBB is a free gift from some generous folks, but that also means no one is really responsible.

Please don't take offense, just trying to find my way here.

Thanks!

SamG
Former Team Member
Posts: 3221
Joined: Fri Aug 31, 2001 6:35 pm
Location: Beautiful Northwest Lower Michigan
Name: Sam Graf

Post by SamG » Tue Aug 23, 2005 1:36 pm

To be honest, if you don't want to maintain the software, then your only option is to go with a provider who will do it for you.

I can't think of a single non-trivial script package I use on the Web that hasn't had a seemingly endless stream of patches and updates over the last year or so. Bug fixes and security enhancements are not uncommon, let alone product development releases.

And this assault on security included stuff from the "big guys" like the XML-RPC libraries. Script packages set up using libraries have to issue patches for their software regardless.

It's a big job to develop Web-based software, and on the Web, it's a big job to be a content provider if you use non-trivial scripts. No matter what script package you use, you either maintain it, or you pay others to maintain it; there is no "install it and forget it" any more. So it sounds like the latter is a better option for you.

Phil Tanny
Registered User
Posts: 40
Joined: Thu Apr 15, 2004 1:43 pm
Location: Gainesville Florida USA
Contact:

Post by Phil Tanny » Tue Aug 23, 2005 2:06 pm

Thanks Sam, I hear you.

It seems phpBB's well deserved popularity is a lot of the reason there has been so much hacking. The secret to coding hack proof software is to make it really junky, charge a lot for it, and market it really poorly. :-) phpBB developers are falling down on that job, eh?

If anyone cares to continue, and if it's appropriate, two threads come to mind.

1) Who can provide turn key phpBB hosting in a professional manner? First choice would be a company with that stated focus.

2) What's involved really with the updates, patches etc. What should I expect to be doing, and how often roughly?

I'm a perl apprentice, know nothing about php or mysql, and don't really want to learn too much honestly. Perl is all I can handle, and then some.

SamG
Former Team Member
Posts: 3221
Joined: Fri Aug 31, 2001 6:35 pm
Location: Beautiful Northwest Lower Michigan
Name: Sam Graf

Post by SamG » Tue Aug 23, 2005 2:36 pm

For advice on turnkey operations, you'll want to go to a site like WebHostingTalk.com rather than here.

The labor involved in maintaining a phpBB install is directly connected to the number of modifications made to the software core or database, so it's hard to make a generalization. Default installs of the software are not difficult to update, though some people find the upgrade/update options confusing at first.

You could give it a try yourself, if you're interested. Go to the full list of files at the SourceForge phpBB projects page and pick pick out an older version of phpBB 2. You'll find the various types of update files for the next stable release there as well. In the Announcements forum here (not something at SourceForge) you'll find the release announcements and various instructions in them. Go the the release announcement for the update you want to apply and follow the instructions there. That's the core process of an update, the material supplied in the announcment. See how it all goes for you for a default install.

Phil Tanny
Registered User
Posts: 40
Joined: Thu Apr 15, 2004 1:43 pm
Location: Gainesville Florida USA
Contact:

Post by Phil Tanny » Wed Aug 24, 2005 12:41 am

Thanks Sam. I've tried to do a manual install of phpBB before, and didn't enjoy it much. So your idea is a good one, and I guess I've already done that test sort of, thus my questions.

But then I discovered I could install phpBB with a few clicks out of Cpanel, and that's great. Very nice.

Assuming an unmodified install, I'm wondering why updates couldn't be easy too?

The developers release an update, and send a notice to the mailing list. I then click an update button in the control panel, some user agent code goes to the home site, grabs the needed code, reprints files that need to be updated.

Or a cron could check the developer site for upgrades and patches, and notify me, removing the need for developers to mail the list.

It seems you could even do it fully automated, but I'd guess folks would like to be able to decide if/when to upgrade.

Apple has a system like this in place for all their software. At a schedule of my choosing, a notice will pop up telling me what upgrades are available. If I click yes, the software is upgraded. End of story.

It seems some system like this would really help in the battle with the hackers, because it would mean more forum owners were up to date, thus fewer targets of opportunity, attracting fewer hackers, thus less need for patches etc.

The update process I read about here, "take this little piece of text and paste it in here, and then change this line to that," and so on, seems kinda primitive I guess.

Would guess all of this has likely been discussed before, and that there are real reasons why this isn't already in place.

Is this forum the appropriate place to meet freelance phpBB techs?

SamG
Former Team Member
Posts: 3221
Joined: Fri Aug 31, 2001 6:35 pm
Location: Beautiful Northwest Lower Michigan
Name: Sam Graf

Post by SamG » Wed Aug 24, 2005 1:28 am

Phil Tanny wrote: The update process I read about here, "take this little piece of text and paste it in here, and then change this line to that," and so on, seems kinda primitive I guess.

Updating that way is just one of the options. And that brings me back to the comment I made earlier, where some people are a little confuzled by the options available for the update process. For a vanilla install of phpBB, you could upload the changed files only, for example.

Yeah, the automated update thingy has been discussed. I'm not aware of any PHP script package that offers that as a feature. It's increasingly common for some form of notification to occur, but an automated update process faces some challenges. It's really not possible to compare the desktop environment to a webserver environment in that regard, as attractive as the comparison seems.

Phil Tanny
Registered User
Posts: 40
Joined: Thu Apr 15, 2004 1:43 pm
Location: Gainesville Florida USA
Contact:

Post by Phil Tanny » Wed Aug 24, 2005 1:40 am

SamG wrote: It's really not possible to compare the desktop environment to a webserver environment in that regard, as attractive as the comparison seems.


OK, my understanding of such issues is admittedly basic.

But even a modest coder like me can write a script that will grab text off your site, and overwrite a file on my site with it. A dozen lines of code. Aren't we just talking about text files? Or?

My impression was that a phpBB update was a matter of swapping some text with some other text. More to it?

Bullmax
Registered User
Posts: 2012
Joined: Fri Jan 30, 2004 3:36 pm

Post by Bullmax » Wed Aug 24, 2005 1:40 am

What was the hacked email about?
I had someone hack my site using the phpbb email as well.

Phil Tanny
Registered User
Posts: 40
Joined: Thu Apr 15, 2004 1:43 pm
Location: Gainesville Florida USA
Contact:

Post by Phil Tanny » Wed Aug 24, 2005 1:48 am

Some guy from Argentina I think, sent a mail out to the list bragging about he'd hacked in, and the forum owner should upgrade etc.

He even included an email address for himself, a hotmail address.

I think he thought he was doing a public service. Let's break in to his house and steal all his stuff, just to show him he needs new locks, I'm sure he'd appreciate the tip....

omg
Registered User
Posts: 4
Joined: Tue Apr 19, 2005 7:29 pm

Post by omg » Wed Aug 24, 2005 8:33 am

Phil:
You may want to take a look at EasyMod in the Mods Releases section of
this board. It makes upgrading very fast and easy.
Regards.

boyandin
Registered User
Posts: 8
Joined: Wed Jul 13, 2005 5:41 am

Post by boyandin » Wed Aug 24, 2005 8:56 am

Phil Tanny wrote: ... It seems some system like this would really help in the battle with the hackers, because it would mean more forum owners were up to date, thus fewer targets of opportunity, attracting fewer hackers, thus less need for patches etc.

The update process I read about here, "take this little piece of text and paste it in here, and then change this line to that," and so on, seems kinda primitive I guess.

Would guess all of this has likely been discussed before, and that there are real reasons why this isn't already in place.

Is this forum the appropriate place to meet freelance phpBB techs?


We with friends do host phpBB, both for ourselves and for others. Some derivatives at times look very peculiar (say, [Removed] ).

The automated upgrades are only available when a 'standard' distribution is used. If you use many custom changes/modules installed, this can become quite a challenge. For example, I made several 'hacks' to

- have the forum always use UTF-8
- automatically change the forums available when user changes language setting in their profile
- use not the host name stored in DB but the one from $_SERVER['HTTP_HOST'] (this allows installing the same forum on different sites using the same DB)
and so on

This makes the automated upgrade next to impossible. So perhaps you should find the people that could assist you in setting up forum/tuning it to your taste. CPanel installation doesn't always have the last minute changes, and the phpBB hacks (if you haven't updated for a long time) can efface your forum/site in quite a nasty way.

So, there are advantages in every approach, as well as inconveniences.

Good luck!

Konstantin

jk1
Registered User
Posts: 103
Joined: Sun Jul 21, 2002 10:55 pm
Location: USA

Post by jk1 » Wed Aug 24, 2005 7:42 pm

Phil Tanny wrote: My impression was that a phpBB update was a matter of swapping some text with some other text. More to it?


Well if you have a plain, un-modified, version of phpBB, updating it is very simple.

There is a "changed files" version of each update.

1. You simply copy the new files over the old ones.

2. Then you point your browser to an update script that is included in the file package. (Usually the path is http://yourwebsitehere.com/install/update_to_latest.php )

3. Delete the /install/ directory.

Speaking for myself, I ran a plain version of phpBB for years and when a new upgrade came out, I had done the upgrade in about 5 minutes, and that includes reading the release notes.
Phil Tanny wrote: Or a cron could check the developer site for upgrades and patches, and notify me, removing the need for developers to mail the list.


You don't need this. Every time you visit your admin pages in phpBB, it will tell you if your version is out of date.

Phil Tanny
Registered User
Posts: 40
Joined: Thu Apr 15, 2004 1:43 pm
Location: Gainesville Florida USA
Contact:

Post by Phil Tanny » Wed Aug 31, 2005 12:49 am

jk1 wrote: Well if you have a plain, un-modified, version of phpBB, updating it is very simple.


Thanks for all the comments everyone, much appreciated. Here's a followup question.

I've been hoping for a version of phpBB that creates posts that are indexable by search engines. My not entirely clear understanding is that the long promised next version will provide this. I know the current version can be hacked in to indexable form, but then we are in to a modified install, which is harder to update.

It seems installing a forum that won't be indexed by search engines is missing a rather large marketing point. Would we create a website that wouldn't be indexed by the engines?

Anyway, would anyone care to comment on my admittedly incomplete understanding (misunderstanding?) of the relationship between phpBB, search engines, and ease of updating?

Thanks again!

quick5pnt0
Registered User
Posts: 1083
Joined: Sun May 16, 2004 1:16 am
Contact:

Post by quick5pnt0 » Wed Aug 31, 2005 1:57 am

To put it very simply phpbb uses a thing called sessions, and search engines like google dont really care for sessions. The fix for this is to know when google shows up and not use sessions for googles bot, but again this is a mod.

User avatar
Mark The Daemon
Registered User
Posts: 7
Joined: Wed Aug 31, 2005 2:49 am
Location: Isle Of Wight, UK
Contact:

Post by Mark The Daemon » Wed Aug 31, 2005 2:58 am

jk1 wrote:
Phil Tanny wrote:My impression was that a phpBB update was a matter of swapping some text with some other text. More to it?


Well if you have a plain, un-modified, version of phpBB, updating it is very simple.

There is a "changed files" version of each update.

1. You simply copy the new files over the old ones.

2. Then you point your browser to an update script that is included in the file package. (Usually the path is http://yourwebsitehere.com/install/update_to_latest.php )

3. Delete the /install/ directory.

Speaking for myself, I ran a plain version of phpBB for years and when a new upgrade came out, I had done the upgrade in about 5 minutes, and that includes reading the release notes.
Phil Tanny wrote: Or a cron could check the developer site for upgrades and patches, and notify me, removing the need for developers to mail the list.


You don't need this. Every time you visit your admin pages in phpBB, it will tell you if your version is out of date.


A little bit off the point here, but what do the users see if they try to access the forum while i am updating it

Locked

Return to “2.0.x Discussion”

Who is online

Users browsing this forum: No registered users and 6 guests