Forum Upgrade

[bbadmin]

We've updated the forum software to use the latest version of phpBB.

If you can no longer login, please use the reset password option to create a new password.

Please let us know if you encounter any anomalies. If you are unable to post the details here because of them, contact us using this form:

https://www.textpad.com/emailus

[AmigoJack]

Apostrophes are double encoded as entities and at least dozens of my posts are affected, but surely others, too:

it's

Most likely the earlier phpBB version incorrectly saved that. This could be "easily" solved by testing these queries to see the potential outcome, and then actually commit them onto the database (assuming you run MariaDB or MySQL):

Code: Select all

UPDATE phpbb_posts    SET post_text=       replace( post_text,       ''', ''' ) WHERE post_text       LIKE '%'%';
UPDATE phpbb_posts    SET post_subject=    replace( post_subject,    ''', ''' ) WHERE post_subject    LIKE '%'%';

UPDATE phpbb_privmsgs SET message_text=    replace( message_text,    ''', ''' ) WHERE message_text    LIKE '%'%';
UPDATE phpbb_privmsgs SET message_subject= replace( message_subject, ''', ''' ) WHERE message_subject LIKE '%'%';

UPDATE phpbb_topics   SET topic_title=     replace( topic_title,     ''', ''' ) WHERE topic_title     LIKE '%'%';
 
UPDATE phpbb_users    SET username=        replace( username,        ''', ''' ) WHERE username        LIKE '%'%';
UPDATE phpbb_users    SET user_sig=        replace( user_sig,        ''', ''' ) WHERE user_sig        LIKE '%'%';
UPDATE phpbb_users    SET user_from=       replace( user_from,       ''', ''' ) WHERE user_from       LIKE '%'%';

Maybe other entities are double encoded, too.

The user profile's location is improperly encoded - I've tried to find the most common mistakes that should be corrected. Make sure you copy/paste these queries, since the search text for the replacement í has an invisible character after à (and replacing à alone would be fatal - in doubt, don't run that one last query):

Code: Select all

UPDATE phpbb_users SET user_from= replace( user_from, 'ü', 'ü' ) WHERE user_from LIKE '%ü%';
UPDATE phpbb_users SET user_from= replace( user_from, 'ê', 'ê' ) WHERE user_from LIKE '%ê%';
UPDATE phpbb_users SET user_from= replace( user_from, 'é', 'é' ) WHERE user_from LIKE '%é%';
UPDATE phpbb_users SET user_from= replace( user_from, 'è', 'è' ) WHERE user_from LIKE '%è%';
UPDATE phpbb_users SET user_from= replace( user_from, 'ú', 'ú' ) WHERE user_from LIKE '%ú%';
UPDATE phpbb_users SET user_from= replace( user_from, 'ã', 'ã' ) WHERE user_from LIKE '%ã%';
UPDATE phpbb_users SET user_from= replace( user_from, 'í', 'í' ) WHERE user_from LIKE '%í%';

Furthermore since you're now able to list all members with its details you want to delete a couple of accounts that solely registered to have a link here. They should be easily spotted as per:

Code: Select all

SELECT user_type, username, user_website, from_unixtime( user_regdate ) AS joined, from_unixtime( user_lastvisit ) AS lastvisit
  FROM phpbb_users
 WHERE user_website LIKE 'http%'
   AND user_posts= 0
   AND user_type<> 2;

Make sure to activate the "Q&A registration challenge" to prevent bots from auto-registering. Sadly the informative post on that issue is buried in the official board:

Recent updates to common spamming software have led to severe shortcomings in the stock, image-based CAPTCHAs.

This topic discusses common methods for spam prevention. For a brief overview of what spam is, see our spam FAQ.

Stopping Spam - Techniques and Strategies

1. Effective Solutions
   At this time, the below solutions seem to be most effective when fighting spambots.
   • Q&A CAPTCHA
     At this time, the Q&A CAPTCHA plugin seems to be the most effective single solution against spambots (and some human spammers). For this technique to be effective, you must use simple but non-obvious question and answer combinations. For instance, "Who do you see in the mirror?" is an effective question, while "What colour is the sky?" or "2+2 = ?" are not. These questions are particularly effective on niche forums where one can ask a question that is not immediately obvious to the general populace.
     
     One type of question that appears effective is of the type"
     
     What are the first three letters in the name (or URL) of this Board?
     
     Also very effective are questions of the type:
     
     Q: What are the first three and last three characters of this board's URL ?
     A: phpity
     
     Q: Grass is to lawn as __________ is to forest.
     A: tree
     
     Or:
     
     Q:Forest is to lawn as grass is to ______________.
     A: trees
     
     To enable the Q&A CAPTCHA, browse to Spambot countermeasures on the General tab of the Administration Control Panel (ACP), then select "Q&A" under "Installed Plugins". Select "Configure", setup your question and answer pairs, then submit the forum. Notice you may need separate Q&As for each language you use.
   • Newly Registered Users Group - phpBB 3 also sees the introduction of the "Newly Registered Users" group. This feature, which may be enabled via the User Registration Settings page of the Administration Control Panel (ACP), allows the administrator to define a minimum post count; if a user is below this limit they will be a member of the Newly Registered Users group. Permissions may be set on this group much like any other group -- an example use is to place the Newly Registered Users group on the moderation queue for all forums. The user is automatically removed from the group when they reach the defined post amount. Be aware that this feature is not retroactive -- users who registered prior to a board's upgrade to phpBB 3.0.6 will not be placed in the Newly Registered Users group, regardless of their post count.
2. Other Solutions
   • Custom Profile Fields - There is an article in the Knowledge Base detailing utilising Custom Profile Fields as a spam deterrent. This seems to be effective against most bots.
   • Admin Activation - This is not practical on most boards, but is an excellent option on smaller, less-trafficked boards. Many spam registrations utilise Gmail addresses or .cn domains, and use a seemingly random combination of letters and numbers for their username.
   • Broken Visual CAPTCHA Plugins
     These CAPTCHAs are included in the stock install but have been broken by spambots. They are ineffective and should not be used.
     • CAPTCHA Without GD
       
     • GD 3D CAPTCHA
       
     • reCAPTCHA
       
     • GD CAPTCHA
       

Rule of thumb for choosing a question is: if Google doesn't have the answer to it, it's a good one. And only use one, not multiple question/answer pairs.

[bbadmin]

Thanks for the feedback, and the helpful SQL script. 419 messages were affected, and they have now been fixed. No other fields contained the errant characters.

To block spambots, we've started with Google's reCaptcha v3 plus the requirement to respond to an email and will see how that goes.

[AmigoJack]

Google's reCaptcha

This is not GDPR compliant and per registration it captures every IP address (and since a user is mostly co-active elsewhere it's easy for Google to then identify/track them). On top it's not accessible - think of handicapped users, who can deal much more with keyboard and text than pictures and mouse. Don't give personal data to 3rd parties.

A potential unique question could be: "Enter "TextPad" without its vocals "e" and "o", so only five consonants remain" - to my knowledge one can define if the answer can be case insensitive (simply "txtpd"). Google has no answer for this.

[bbadmin]

Good point about GPR compliance. I've switched to GD 3D Captcha for now, as GD Captcha kept defeating me!

[AmigoJack]

Please don't - it may challenge you, but it doesn't challenge bots. It was declared as broken 12 years ago, as per the link of the whole quotation. The list I quoted is not an option, it's what should not be used. Use Q&A. Why phpBB still ships will all these broken methods is beyond my understanding - I told them multiple times, but they still leave it alive.

[AmigoJack]

As per Auto update for corporate users?? could you please allow subscriptions to forums? That makes it easy for members to keep track of new topics in a forum - one could subscribe to Announcements and as such get a notification (most likely an email) when a new topic is created (speak: new version is available). Currently this feature is disabled for users.

ACP > Permissions > Forum based permissions > Forum permissions > Select a forum > Submit > Groups > Registered users > Edit permissions > Advanced Permissions > Actions > Can subscribe forum > Yes > Apply permissions:

20230215 phpBB perm.png (136.34 KiB) Viewed 3254 times

Most likely you only want it for that one single forum. However, if you plan it to allow it for every forum, then go
ACP > Permissions > Permission roles > Forum roles and edit those that are used on most of your forums (most likely "Standard Access"). That way you only edit one thing and it cascades down to every forum using that role, in contrast to editing every forum on its own.

Then one is able to click on the "subscribe" link in that forum:

20230215 phpBB subscribe.png (9.47 KiB) Viewed 3254 times

You can read a bit more about it in the manual, section "Administrators".