PHPBB3 Spam Control Mechanism as of version 3.0.6
December 14th, 2009 at 7:51 am (Dust Bin)
In the article, PHPBB 3.0x Registration Spam Control Mechanism, a guide was presented on how to tighten up access to the well-known bulletin board software, focusing on the registration component where anyone can sign up as a new user. The scheme was meant to make it more difficult to automatically sign up using common exploits. At the time of writing, the software version of interest was 3.0.4. As of the current version, 3.0.6, the scheme described will not work, owing to changes in the software. This article will briefly go over a new scheme that suits the newest version.
The image verification method has been incorporated into its own class and is located in the normal install directory, here: /includes/captcha/plugins/captcha_abstract.php. This class affects both registration and anonymous posting, unlike before, when the code was specific to the target areas. So, in addition to registration access control, anonymous posting will receive the same treatment with the following modifications to the file (line numbers are approximate):
25 class phpbb_default_captcha
26 {
27 var $confirm_id;
28 var $confirm_code;
29 var $confirm_char; // mod
30 var $code;
41 // read input
42 $this->confirm_id = request_var('confirm_id', '');
43 $this->confirm_code = request_var('confirm_code', '');
44 $this->confirm_char = request_var('confirm_char', ''); // mod
45 $refresh = request_var('refresh_vc', false) && $config['confirm_refresh'];
308 AND confirm_type = " . $this->type;
309 $result = $db->sql_query($sql);
310 $row = $db->sql_fetchrow($result);
311 $db->sql_freeresult($result);
312
313 if ($row)
314 {
315
316 $this->code = $this->confirm_char . $row['code']; //mod
317 $this->seed = $row['seed'];
318 $this->attempts = $row['attempts'];
319 return true;
320 }
321
322 return false;
The lines of code, added or altered, shown above, are marked with “//mod”. So, lines 29, 44, and 316 are the mods. Line 44 is the bit that retrieves the symbol randomly generated in the functions.php file (see previous article for more details). Line 316, having a slightly different look from the previous version, is the section of code where the symbol is integrated with the CAPTCHA code during the verification stage. These changes replace those described in the previous article affecting the ucp_register.php file located in /includes/ucp.
The changes to the templates described in the previous article are basically the same, but now include the template for anonymous posting, for example, posting_editing.html. The javascript code placed originally in the ucp_register.html template should go into the head portion of the overall_header.html template. The latter would cover both contingencies. The call to the dencoder function might also be placed in the footer template, but seems benign enough in the respective templates for registration and posting anonymously. Of course, depending on your theme, you may need to refresh the templates after you’ve made changes to these files. Needless to say, the image verification service should be activated.
