Tested Applications - phpBB2 2.0.21 and 2.0.22

Overview

The following application has been tested with the PHP/Perl Application Server. The information regarding it is listed for your convenience and does not indicate that MOREnet promotes, endorses, or supports any of the listed applications. During testing, MOREnet testers made notes regarding installation and running of the application which it was felt would be of interest or use to members. This information is provided for your convenience.

phpBB 2.0.21 and .22

Installation of phpBB involved downloading the application, unzipping it, then using FTP to upload it to the selected directory. Remember to read and follow the installation documentation.

When you run the online configuration interface, remember that the database server to use is db.kinetic.more.net.

After configuration, remember to use FTP to remove the ./phpBB2/install and ./phpBB2/contrib directories. The phpBB2 application will not let you use the bulletin board until these are deleted.

Your phpBB administrator account can be any account you create during the online configuration. It is not the same as your kinetic Service account and is totally separate. MOREnet recommends you do not use the same username and password as you use for your kinetic Service account.

Once installation and configuration are complete, you will want to go to the admin page first thing. There are quite a few items which can be controlled via the admin page, including the following items of note:

• You do not need to use an SMTP server for email. Use the setting of 'local mail function'.
• When creating new categories and forums, the initial 'Test Forum' (created during the install) can only be removed after you have created at least one new category and forum. Then you can move it down in the listed order so it is not the first one listed. Then you can delete it.
• User Admin -- Dissalow Names
  Note that once a username has been created, you cannot dissalow it without first removing the username through the User Admin --> Management screen. You might want to give some thought to disallowing usernames that contain certain possibly offensive words before you start allowing users to sign up.
• General Admin -- Word Censors
  Give some thought to certain words you don't want people using in their postings before they start posting. Don't be hesitant or squeemish, put those nasty words you don't want seen in your organization's online bulletin board in the Word Censor.
• General Admin -- Configuration -- Domain Name
  The Domain Name field is listed first on this page. Do not forget to set this to the domain name of your web site. Under certain circumstances, phpBB will send out emails containing a URL link to a web page within phpBB (forgotten passwords, etc.) If the Domain Name is not set, the URL link in these emails will not be correct and will not work.

The Regristration Agreement Terms page appears whenever someone tries to register a new account in phpBB2. You may have additional items to add or changes to make to this Agreement. Updating the Registration Agreement Terms page requires you to edit the php code of phpBB2. The file to edit is:

./phpBB2/language/lang_english/lang_main.php

Recommended and Suggested Code Changes

Session Ignoring Clients Can Generate Large Number of Sessions in Database
Under certain circumstances phpBB2 can generate a very large number of sessions which get stored in the database. This can occur when the bulletin board is being spidered by a client (typically a search engine) which does not accept cookies. The usercp_register.php script queries the database to get a list of all session keys and can potentially return a huge result set. This result set is then used to re-query the database for certain information. The query generated has been observed to actually exceed the maximum allowed query packet size allowed in the database (2MB). Although this limit can be raised, this is not a solution as the number of sessions generated continues to grow until it hits the new limit. To prevent this, the following code change is recommended:

File 1: /path/to/phpbb2/includes/constants.php
Locate the below code section and add the code in bold.

// Session parameters
define('SESSION_METHOD_COOKIE', 100);
define('SESSION_METHOD_GET', 101);
define('SESSION_QUERY_LIMIT',100);

  // Visual Confirmation
  $confirm_image = '';
  if (!empty($board_config['enable_confirm']) && $mode == 'register')
 {
   $sql = 'SELECT session_id
     FROM ' . SESSIONS_TABLE . ' ORDER BY session_time DESC LIMIT ' . SESSION_QUERY_LIMIT ;
   if (!($result = $db->sql_query($sql)))
   {

Member List is Viewable to Non-Members
The Member List page is by default viewable by non-logged in visitors. This page can contain member email addresses and links to their home page web site, if the member chose to enter and make visible those items. To make the Member List viewable by only logged-in members, the following code change is suggested:

File: /path/to/phpbb2/memberlist.php
Locate the below code and add the code in bold.

// Start session management
//
$userdata = session_pagestart($user_ip, PAGE_VIEWMEMBERS);
init_userprefs($userdata);
//
// End session management
//
// Start auth check
if ( !$userdata['session_logged_in'] )
  {
    redirect(append_sid("login.$phpEx?redirect=memberlist.$phpEx", true));
  }
// End of auth check

Group List is Viewable to Non-Members
The Group List page is by default viewable by non-logged in visitors. This page can also contain member email addresses and links to their home page web site, if the member chose to enter and make visible those items. To make the Group List viewable by only logged-in members, the following code change is suggested:

File: /path/to/phpbb2/groupcp.php
Locate the below code and add the code in bold.

// Start session management
//
$userdata = session_pagestart($user_ip, PAGE_GROUPCP);
init_userprefs($userdata);
//
// End session management
//
// Start auth check
if ( !$userdata['session_logged_in'] )
  {
    redirect(append_sid("login.$phpEx?redirect=groupcp.$phpEx", true));
  }
// End of auth check

Notes Regarding Administering phpBB2

SpamBot Registrations
It is recommended that user registration have "Enable account activation" set to "Admin" and that "Enable Visual Confirmation" be set to "Yes" on the phpBB2 Administration - Configuration page.

It has been noted that despite the captcha usage on the user registration page, spambots still succeed in registering with phpBB2. There is on-going discussion of this issue on the phpBB2 forums and lists. There are also several "MODs" available that address this issue. It is recommended that administrators of a phpBB2 bulletin board be very diligent in attending to registrations. By default, the information of registered phpBB2 accounts can be viewed by the public, even if they have not yet had their membership approved. Spambots can place some very undesirable content into the profile information fields.

phpBB2 Resources

• phpBB2 Support Page: http://www.phpbb.com/support/
• User's Guide: http://www.phpbb.com/support/guide/
• Online Support Forum: http://www.phpbb.com/phpBB/viewforum.php?f=1

Download from: http://www.phpbb.com/
phpBB2 is free and released under the General Public License, GPL.