Will 3.0 have the ability for me to use ?PHP include() ? tag

Do not post support requests, bug reports or feature requests. Discuss phpBB here. Non-phpBB related discussion goes in General Discussion!
Scam Warning
Line
Registered User
Posts: 31
Joined: Tue Jun 08, 2004 11:44 pm

Will 3.0 have the ability for me to use ?PHP include() ? tag

Post by Line »

Will 3.0 have the ability for me to use ?PHP include() ? tags?

as opposed to hard coding my design in a .tpl file?

-Line
http://www.LineDetail.com | The LineDetail Drawing Co. | Web & Graphic Designer / Flash Animator!
User avatar
smithy_dll
Former Team Member
Posts: 7632
Joined: Tue Jan 08, 2002 6:27 am
Location: Australia
Name: Lachlan Smith

Re: Will 3.0 have the ability for me to use ?PHP include() ? tag

Post by smithy_dll »

Unforunately yes,

It is not the recommended and only intended for webmasters to quickly hack in an ads management programme into their forums.

Modifications should still use proper programming paradigms.
Systems Engineering
gobbly2100
Registered User
Posts: 76
Joined: Fri Nov 03, 2006 12:44 am
Location: UK

Re: Will 3.0 have the ability for me to use ?PHP include() ? tag

Post by gobbly2100 »

Is this PHP include feature considered unsafe then?
Line
Registered User
Posts: 31
Joined: Tue Jun 08, 2004 11:44 pm

Re: Will 3.0 have the ability for me to use ?PHP include() ? tag

Post by Line »

haha How can you say "unfortunately"? I've been using this 2.x version and the only way to create anything around my forums is with the overallheader.tpl and footer.tpl which is hard coded. Which means if I update the menu on my site, I have to go into the forums and change it there seperately, whereas if I use an include - I don't have to!

This is great news.

-Line
http://www.LineDetail.com | The LineDetail Drawing Co. | Web & Graphic Designer / Flash Animator!
User avatar
smithy_dll
Former Team Member
Posts: 7632
Joined: Tue Jan 08, 2002 6:27 am
Location: Australia
Name: Lachlan Smith

Re: Will 3.0 have the ability for me to use ?PHP include() ? tag

Post by smithy_dll »

It's bad because it breaks the separation of HTML and PHP paradigm.

phpBB3 will ship with no PHP in template files.

As for being unsafe, well, it's not unsafe for the feature to be there. Of course that doesn't stop the administrator writing a template file with unsafe PHP or including unsafe PHP in the template.

As for your hardcoded problem, you realise you could always edit the PHP files and use the template class, it's very easy and has alot less issues than using the PHP in templates feature.
Systems Engineering
User avatar
Highway of Life
Former Team Member
Posts: 6048
Joined: Wed Feb 02, 2005 5:41 pm
Location: Bend, OR
Name: David Lewis

Re: Will 3.0 have the ability for me to use ?PHP include() ? tag

Post by Highway of Life »

Then just use <!-- PHPINCLUDE ./../myfile.php -->

That should be easy enough to do. ;)
smithy_dll wrote: It is not the recommended and only intended for webmasters to quickly hack in an ads management programme into their forums.
I completely disagree.
It’s not ONLY intended for webmaster to 'hack' in ads to their forums.
For example, I have several website that use a menu.php file, and so I just use the <!-- PHPINCLUDE --> to include that file. -- as well as MANY other elements.
There is more to phpinclude than ads and 'hacks'.
And it’s neither recommended, nor discouraged, you can’t say it’s "not recommended". There is no basis for that statement.
User avatar
Marshalrusty
Project Manager
Project Manager
Posts: 29334
Joined: Mon Nov 22, 2004 10:45 pm
Location: New York City
Name: Yuriy Rusko

Re: Will 3.0 have the ability for me to use ?PHP include() ? tag

Post by Marshalrusty »

As a team member and phpBB user, smithy_dll can recommend or not recommend using specific features in specific ways. We all, for example, have been recommending that users disable the use of html in phpBB 2.0.x, despite the feature being there. In this case, I completely agree with David. Using PHP in template files, especially on a large scale, is simply not a good idea. I have primarily been using it for testing purposes, and then moving the completed code to the .php files. If you start adding code to .html files, you'll soon forget where it is that you added something. Since it is possible to view .html files (just by navigating to them), you will be showing the world your added PHP. That's obviously not a good idea for security reasons.

So what was the point of your post, to tell David that he should be recommending the feature? On what grounds is that claim being made?
🇺🇦 Made in Ukraine, exported to the USA 🇺🇸

Have comments/praise/complaints/suggestions? Please feel free to PM me.

Need private help? Hire me for all your phpBB and web development needs
User avatar
Handyman`
Former Team Member
Posts: 1751
Joined: Thu Feb 03, 2005 8:44 pm

Re: Will 3.0 have the ability for me to use ?PHP include() ? tag

Post by Handyman` »

Marshalrusty wrote: So what was the point of your post, to tell David that he should be recommending the feature? On what grounds is that claim being made?

Highway of Life wrote: And it’s neither recommended, nor discouraged, you can’t say it’s "not recommended". There is no basis for that statement.
:)

There is more to forums than Hacks and Mods… sometimes you have to think outside the box.
It's not enabled in phpBB3 so it can just sit there… if it is a security issue, it should be removed… but it's not.
It can come in very handy for certain applications.

BTW, it's possible to program security holes out of anything… it's all about how you program… doesn't mean you have to discourage people from programming.
http://startrekguide.com My Mod Queue || 1/16/10 Display Posts Anywhere 1.2.0 RC5, Cash MOD 1.0.0 b1, MOD Version Check, AJAX Chat, SEO MOD, AJAX QR, Photo Gallery
MOD Development Manager (version 0.2.0-dev with MODX Generator)
User avatar
Highway of Life
Former Team Member
Posts: 6048
Joined: Wed Feb 02, 2005 5:41 pm
Location: Bend, OR
Name: David Lewis

Re: Will 3.0 have the ability for me to use ?PHP include() ? tag

Post by Highway of Life »

Marshalrusty wrote: As a team member and phpBB user, smithy_dll can recommend or not recommend using specific features in specific ways.
Yuriy, please re-read my post.
There are many other users outside of the phpBB.com team that are PHP experts and extremely knowledgeable when it comes to phpBB3. ;)
Marshalrusty wrote: We all, for example, have been recommending that users disable the use of html in phpBB 2.0.x, despite the feature being there.
I recommend disabling the use of html in phpBB2, but I also defend the reasoning behind the Dev team’s decision to exclude that feature from phpBB3.
You missed the whole point of the use of html in phpBB2.
Regular users where given full ability to use html, so a user from the OUTSIDE could come in and basically hack the board.
In this case, PHPINCLUDE cannot be used by Regular users... so you can’t use it as a comparison. :roll:

Notice, however, that phpBB3 has removed any features they feel are security risks, a perfect example is the HTML tags feature in phpBB2, but that feature does not exist in phpBB3. PHPINLCUDE, does exist however.
If the DEV team meant for users to NOT use that feature. Guess what?
They would not have put it in there.
It’s not there so that the phpBB team can just say it’s there.
It’s not there for people to only 'hack' in their 'ads'.
It’s not a feature that users can use, it is a TOOL for Admins and Site Developers to utilize.
Marshalrusty wrote: In this case, I completely agree with David. Using PHP in template files, especially on a large scale, is simply not a good idea.
Well of course it’s not a good idea on a large scale, But re-read my post. I did not say to use it on a large scale, I gave an example of including a menu in PHP.
Marshalrusty wrote: I have primarily been using it for testing purposes, and then moving the completed code to the .php files. If you start adding code to .html files, you'll soon forget where it is that you added something. Since it is possible to view .html files (just by navigating to them), you will be showing the world your added PHP. That's obviously not a good idea for security reasons.
That has nothing to do with the examples given. Also, <!-- INCLUDEPHP ../../../../menu.php --> is going to act like a comment tag, it’s not going to show raw PHP. :roll:
And if I really wanted to include PHP files on a large scale (not recommended), I could protect the template directory, as phpBB.com has done (for example).
Marshalrusty wrote: So what was the point of your post, to tell David that he should be recommending the feature? On what grounds is that claim being made?
Read it again.
I did not say he should be recommending it. I did not say he should not be recommending it.
But statements like that give users false-impressions without substantiation.
The point of my post was to say that you CAN use PHPINCLUDE, and that, by itself, is NOT a security issue.
To me, <!-- BEGINPHP --><!-- ENDPHP --> are a much bigger security issue, But the Dev team would NOT have included those features if they were enough of a security issue.
Last edited by Highway of Life on Mon Mar 26, 2007 5:41 am, edited 1 time in total.
NeoThermic
Security Consultant
Posts: 2141
Joined: Thu Dec 25, 2003 1:33 am
Location: United Kingdom

Re: Will 3.0 have the ability for me to use ?PHP include() ? tag

Post by NeoThermic »

Highway of Life wrote: There are many other users outside of the phpBB.com team that are PHP experts and extremely knowledgeable when it comes to phpBB3. ;)


Yes, but are you saying that you have more knowledge of phpBB than a team member who's been on the team for 4.8 years? :roll:

Smithy's recommendation goes out to a blanket based on the majority of our user base (admins) not knowing how to use the feature securely.

NeoThermic
NeoThermic.com... a well of information. Ask me for the bit bucket so you can drink its goodness. ||新熱です
User avatar
Highway of Life
Former Team Member
Posts: 6048
Joined: Wed Feb 02, 2005 5:41 pm
Location: Bend, OR
Name: David Lewis

Re: Will 3.0 have the ability for me to use ?PHP include() ? tag

Post by Highway of Life »

NeoThermic wrote: Yes, but are you saying that you have more knowledge of phpBB than a team member who's been on the team for 4.8 years? :roll:
No no, I don’t mean to imply that at all.
It was in response to Yuriy saying that David is the governing discernment on the issue, and that I should not disagree with a team member.

If you have a menu, meta tags, headers or other similar material, there is NOTHING wrong with using PHPINCLUDE. -- David implied that there is something wrong with using it, that the team is unhappy that the function is there, and furthermore that it is ONLY intended to hack in advertisements.
NeoThermic wrote: Smithy's recommendation goes out to a blanket based on the majority of our user base (admins) not knowing how to use the feature securely.
Using the PHPINCLUDE feature securely?!? :?
It’s equivalent to PHP’s default include(); function.
And if you have a PHP file that you are wanting to include, why give a blanket statement saying that the user should not use it?
You’ll see from a user’s response that they immediately took David’s remark as though phpBB3 implemented a security hole/unsafe feature into the forums.
Furthermore, if it is indeed as unsafe as either Yuriy or David imply, then the feature should be taken out! -- however, this is not the case.
If anybody thinks I am wrong, they are more than welcome to substantiate it.
Last edited by Highway of Life on Mon Mar 26, 2007 6:02 am, edited 1 time in total.
User avatar
karlsemple
Former Team Member
Posts: 39802
Joined: Mon Nov 01, 2004 8:54 am
Location: Hereford, UK

Re: Will 3.0 have the ability for me to use ?PHP include() ? tag

Post by karlsemple »

You know as well as the rest of us that a user with a degree of php knowledge is more than capable of using this feature safely, the blanket statement covers the users who are clueless when it comes to php security and will include other php files created by themselves which will probably be full of security holes. The feature itself is not an issue but used by the wrong people it could be, for me this feature is like a loaded gun, in the wrong hands it could be deadly to a board and a nightmare for the support team :) Personally I think this is as bad as html on phpBB2
Image
User avatar
Highway of Life
Former Team Member
Posts: 6048
Joined: Wed Feb 02, 2005 5:41 pm
Location: Bend, OR
Name: David Lewis

Re: Will 3.0 have the ability for me to use ?PHP include() ? tag

Post by Highway of Life »

karlsemple wrote: You know as well as the rest of us that a user with a degree of php knowledge is more than capable of using this feature safely, the blanket statement covers the users who are clueless when it comes to php security and will include other php files created by themselves which will probably be full of security holes.
True. :D

The question was is there such a function in phpBB3
And the response was
Unfortunately, yes
But the reasons were not substantiated as to what the potential problem might be, this gave a very inaccurate perspective of the feature. -- Perhaps it could have been worded better to achieve the desired reaction -- instead it confused and gave users a false impression. ;)
-- Elaborating a bit more -- See, why not say, it’s usage is discouraged, don’t say:
Smithydll wrote: It is not the recommended and only intended for webmasters to quickly hack in an ads management programme into their forums.
This is what I’m pointing out... if you’re going to make a blanket statement, make a blanket statement, this leaves a weird rip in the quilt. ;)
karlsemple wrote: Personally I think this is as bad as html on phpBB2
Why?
Last edited by Highway of Life on Mon Mar 26, 2007 6:14 am, edited 1 time in total.
User avatar
karlsemple
Former Team Member
Posts: 39802
Joined: Mon Nov 01, 2004 8:54 am
Location: Hereford, UK

Re: Will 3.0 have the ability for me to use ?PHP include() ? tag

Post by karlsemple »

The most common hack in phpBB2 was the inclusion of external code to do something nasty......for me this is basically making it a feature and you as a mod writer should not need to be asking why this could be a problem :)

EDIT: Of course that said it is a tool for a specific purpose as smithy_dll pointed out earlier and using it for anything else would be an abuse of such a tool and would be done against our advice :)
Image
User avatar
Highway of Life
Former Team Member
Posts: 6048
Joined: Wed Feb 02, 2005 5:41 pm
Location: Bend, OR
Name: David Lewis

Re: Will 3.0 have the ability for me to use ?PHP include() ? tag

Post by Highway of Life »

:lol: haha, yes, I know that. :P

I’m asking why you believe it is as unsafe as the html feature in phpBB2. ;)

Return to “phpBB Discussion”