phpBB3: Open Source Forum Software Evolved

    J. Battye
    J. Battye

    The 13th of December, 2007 marked the beginning of another chapter of the success story that is open source software, as phpBB version 3 was released. phpBB, an open source bulletin board system, was created by James Atkinson in 2000 as a forum solution for his wife. From its low-key beginnings, phpBB has gone from strength to strength, earning itself a reputation as one of the “killer apps” for the PHP scripting language.

    The bulletin board concept dates back to the 1980s, when the earliest forms took shape as newsgroups and primitive dial-up message boards. With the introduction of the Web, bulletin boards, now commonly known as internet forums, have become incredibly user friendly and customisable, and have played a key role in the current social networking trend. It should therefore come as no surprise that on the Internet today there are many millions of active forums, a significant number of which are phpBB installations.

    phpBB was first released in April 2002, and has enjoyed constant evolution by an active developer community. In May 2007, the first of eight release candidates was made available to the public. The release candidate stage was lengthy, but ensured that the official release, phpBB v3.0.0, was of a very high standard.

    Changes Between phpBB2 and phpBB3

    To many people, phpBB2 will be remembered for its revolutionary theme, subSilver, whose combination of simple and slick allowed for a very attractive default theme. Considering it’s now nearly five years old, the design of the subSilver theme still holds up pretty well.

    The default phpBB2 theme -- subSilver

    Change is inevitable, though, and perhaps the most noticeable difference that a user sees when comparing a forum that uses phpBB2 to one that uses phpBB3 will be the front-end code used by the board — especially if you dive under the hood. While the colour schemes between the new proSilver theme and subSilver are quite similar, proSilver has quite noticeably distanced itself from a table-based layout. Many people will be pleased to know that the new style is CSS driven, and is XHTML 1.0 Strict compliant. Tables have only been used when appropriate, for instance, in the display of tabular data such as statistics and the member list.

    phpBB3 (codenamed Olympus) also includes many features requested by the phpBB community. Features that were only available as modifications in phpBB2 are now available as standard functionality.

    Some of the more popular additions include those relating to:

    • file attachments
    • user and moderator control panels
    • the ability to add unlimited layers of forums (subforums)

    From an administrative perspective, the largest change comes in the permissions system. While the administration control panel has been completely revamped (it now uses a truly modular system), getting your head around the new permissions system is perhaps the most difficult part of upgrading. The new permission system allows for finer, more granular permission assignment, as well as many new permissions that administrators are able to assign. For easier management, permission roles are included, as is the ability to copy and transfer permissions from other forums. An in-depth overview of the new permissions system forms part of the phpBB documentation.

    Notably absent from phpBB3 is an inbuilt modification (MOD) installer. However, as was the case with phpBB2, an official add-on will be published by the phpBB MOD Team for performing automatic MOD installations. Codenamed Blinky, the MOD installer is a modular addition to the administration control panel, which adds a new MODs tab to the administration navigation.

    When installing a modification, the MOD installer will read and parse an XML file, storing information about the desired MOD to be installed. Various actions are performed on the basis of this XML file, such as adding, replacing, and removing code. This MOD installer is still under development, but the development team behind Blinky hopes to have something released soon.

    The image below shows the details of the MOD installation, which only appear if enabled by the administrator, or if an error occurred.

    Details of the MOD installation

    Below, we see the flexibility in the MOD Manager. The code has three different methods to handle files, including FTP and the creation of a compressed archive.

    Flexibility in the MOD Manager


    Security has always been phpBB’s number one priority. Many measures were taken during the development of phpBB3 to ensure that it was an extremely secure product from the outset. An external security audit was carried out by a team from that included Stefan Esser, a PHP security expert and former PHP developer. The security audit revealed several issues with phpBB3 that were duly repaired, but it was a huge credit to the developers that no SQL injection or remote code injection vulnerabilities were found.

    phpBB3 was completely rewritten, and strict new coding guidelines were put in place for the developers. In Esser’s own words, this “led to a better security architecture than phpBB2’s.” phpBB3 handles all request parameters ($_POST, $_GET, etc.) through a single function, request_var, which sanitises the variable. In conjunction with a new database abstraction layer, including a new sql_build_array function that automatically handles the escaping of strings — something that used to be handled through basic str_replace calls — it’s now easy and secure to write database queries.

    In phpBB2, a database query would have looked something like the following, with both the $email and $icq variables having been defined earlier from POST data:

    $sql = "UPDATE " . USERS_TABLE . "   
       SET user_email = '" . str_replace("'", "''", $email) ."',  
        user_icq = '" . str_replace("'", "''", $icq) . "'  
        WHERE user_id = " . $userdata['user_id'];

    Because of the new techniques employed in phpBB3, queries are much more structured. The new function, $db->sql_escape, replaces the older method of using str_replace to prepare strings:

    $sql = 'UPDATE ' . USERS_TABLE . "  
        SET user_email = '" . $db->sql_escape($email) . "',  
        user_icq = '" . $db->sql_escape($icq) . "'  
        WHERE user_id = ' . $user->data['user_id'];

    When there are a number of columns that need to be updated, the $db->sql_build_array function can be used. This function automatically escapes strings within the array. Larger queries may therefore look like this:

    $sql_data = array('user_email' => request_var('email', ''),  
             'user_icq'   => request_var('icq', ''),  
         'user_yahoo' => request_var('yahoo', ''),  
         'user_msn'   => request_var('msn', ''),  
    $sql = 'UPDATE ' . USERS_TABLE . '  
       SET ' . $db->sql_build_array('UPDATE', $sql_data) . '  
           WHERE user_id = ' . $user->data['user_id'];

    The phpBB MOD Team shares the Development Team’s belief that security is paramount. As with phpBB2, the MOD Team plans on continuing to validate every MOD that’s submitted to the online database, ensuring that modifications adhere to the new coding guidelines as well as meeting security standards set by the team. After automated checks are made, MOD team members audit every submission line-by-line before testing the MOD to ensure that it functions correctly. The entire validation process takes time, but the result is that users have a quality assurance that’s unique to

    The Future: phpBB v3.2

    The next major release of phpBB will be v3.2, codenamed “Ascraeus.” The Development Team has set a total of six milestones for the development of v3.2, the first of which will consist of general changes to phpBB. Such changes will include dropping support for PHP 4.x and MySQL 3.x/4.0.x.

    The BBCode parser will also be revamped. It will be separated entirely from the posting page, allowing BBCode to be used in any text area. A community-requested feature — the editing of existing BBCode functions — will also be implemented, essentially meaning that there will be no differentiation between the default BBCode functions and those added by the board administrator.

    The second milestone focuses on the implementation of many exciting new features. The user session functions will be revisited, while the posting page and moderator control panel will be enhanced. phpBB will make use of Ajax where appropriate for the first time, although only in some situations. Additionally, the topic and forum listings will receive increased functionality, such as non-permanent or “soft” deleting of topics and some minor tweaks to the global announcement system.

    Possibly the most anticipated new feature, however, will be the highly customizable events system, which will be a fantastic addition for both board administrators and phpBB MOD authors. In talking about the events system, Meik Sievertsen said, “The event system is a trigger-based system whereby admin-definable “actions” are fired upon specific conditions. Sample pre-defined triggers could be: “posting, replying, or registering”. The condition applied to this trigger might be something like “having more than x posts” and the action might be “place this user into group Y”.” As you can imagine, this functionality will automate many of the processes that are currently performed by board moderators and administrators.

    Beyond v3.2, there will be phpBB v3.4. With the increased use of AJAX, an expanded events system, and additional database control for board administrators all on the cards, the future is looking very bright for phpBB.

    Thanks to Meik Sievertsen (“Acyd Burn”) and Josh Woody (“A_Jelly_Doughnut”) for providing information about phpBB development, and the phpBB MOD installer, respectively.