phpBB 2.0.10 to 2.0.11 Code Changes

These are the code changes introduced between phpBB 2.0.10 and phpBB 2.0.11. If you have installed many hacks on a forum, but wish to update it, these may help you. It is often easier to apply code changes such as these instead of replacing and rehacking your current files.

These code changes use the following instruction labels:
filename - The name of a file to be edited. Equivalent to an OPEN action in a hack or modification. FIND - This indicates lines of code you should locate. Changes will be made in reference to this code.
REPLACE WITH - This code should completely replace the code in the preceding FIND instruction.
AFTER, ADD - The code in this instruction should be added on a new line after the last line of code in the preceding FIND instruction.
BEFORE, ADD - The code in this instruction should be added on a new line before the first line of code in the preceding FIND instruction.
FIND AND DELETE - Locate the code in this instruction as with a FIND statement, and then delete the code.

Once you have completed the code changes, create an install/ directory in your forum's root directory, and upload the update_to_2011.php file that comes in any phpBB 2.0.11 download to the install/ directory. Run update_to_2011.php by opening it via your web browser, just as you would a normal forum page. Afterward, delete the file and the install/ directory so that your forum is accessible again.

Now, onward to the file changes!

includes/usercp_confirm.php
phpBB 2.0.11 adds a visual confirmation system to registration as a default feature of phpBB. In doing so, a new file was added to phpBB. This file is includes/usercp_confirm.php. Be sure to download the full version of 2.0.11 or the Changed Files version of 2.0.11 to get this file and add it to your forum! If you do not do this, people will not be able to register.
admin/admin_board.php
FIND
Code:
$activation_admin = ( $new['require_activation'] == USER_ACTIVATION_ADMIN ) ? "checked=\"checked\"" : "";
AFTER, ADD
Code:
$confirm_yes = ($new['enable_confirm']) ? 'checked="checked"' : '';
$confirm_no = (!$new['enable_confirm']) ? 'checked="checked"' : '';
FIND
Code:
   "L_ADMIN" => $lang['Acc_Admin'],
AFTER, ADD
Code:
   "L_VISUAL_CONFIRM" => $lang['Visual_confirm'],
   "L_VISUAL_CONFIRM_EXPLAIN" => $lang['Visual_confirm_explain'],
common.php
FIND
Code:
function unset_vars(&$var)
{
   while (list($var_name, $null) = @each($var))
   {
      unset($GLOBALS[$var_name]);
   }
   return;
}

//
error_reporting  (E_ERROR | E_WARNING | E_PARSE); // This will NOT report uninitialized variables
set_magic_quotes_runtime(0); // Disable magic_quotes_runtime

$ini_val = (@phpversion() >= '4.0.0') ? 'ini_get' : 'get_cfg_var';

// Unset globally registered vars - PHP5 ... hhmmm
if (@$ini_val('register_globals') == '1' || strtolower(@$ini_val('register_globals')) == 'on')
{
   $var_prefix = 'HTTP';
   $var_suffix = '_VARS';
   
   $test = array('_GET', '_POST', '_SERVER', '_COOKIE', '_ENV');

   foreach ($test as $var)
   {
      if (is_array(${$var_prefix . $var . $var_suffix}))
      {
         unset_vars(${$var_prefix . $var . $var_suffix});
         @reset(${$var_prefix . $var . $var_suffix});
      }

      if (is_array(${$var}))
      {
         unset_vars(${$var});
         @reset(${$var});
      }
   }

   if (is_array(${'_FILES'}))
   {
      unset_vars(${'_FILES'});
      @reset(${'_FILES'});
   }

   if (is_array(${'HTTP_POST_FILES'}))
   {
      unset_vars(${'HTTP_POST_FILES'});
      @reset(${'HTTP_POST_FILES'});
   }
}

// PHP5 with register_long_arrays off?
if (!isset($HTTP_POST_VARS) && isset($_POST))
{
   $HTTP_POST_VARS = $_POST;
   $HTTP_GET_VARS = $_GET;
   $HTTP_SERVER_VARS = $_SERVER;
   $HTTP_COOKIE_VARS = $_COOKIE;
   $HTTP_ENV_VARS = $_ENV;
   $HTTP_POST_FILES = $_FILES;
}
REPLACE WITH
Code:
error_reporting  (E_ERROR | E_WARNING | E_PARSE); // This will NOT report uninitialized variables
set_magic_quotes_runtime(0); // Disable magic_quotes_runtime

// The following code (unsetting globals) was contributed by Matt Kavanagh

// PHP5 with register_long_arrays off?
if (!isset($HTTP_POST_VARS) && isset($_POST))
{
   $HTTP_POST_VARS = $_POST;
   $HTTP_GET_VARS = $_GET;
   $HTTP_SERVER_VARS = $_SERVER;
   $HTTP_COOKIE_VARS = $_COOKIE;
   $HTTP_ENV_VARS = $_ENV;
   $HTTP_POST_FILES = $_FILES;

   // _SESSION is the only superglobal which is conditionally set
   if (isset($_SESSION))
   {
      $HTTP_SESSION_VARS = $_SESSION;
   }
}

if (@phpversion() < '4.0.0')
{
   // PHP3 path; in PHP3, globals are _always_ registered
   
   // We 'flip' the array of variables to test like this so that
   // we can validate later with isset($test[$var]) (no in_array())
   $test = array('HTTP_GET_VARS' => NULL, 'HTTP_POST_VARS' => NULL, 'HTTP_COOKIE_VARS' => NULL, 'HTTP_SERVER_VARS' => NULL, 'HTTP_ENV_VARS' => NULL, 'HTTP_POST_FILES' => NULL);

   // Loop through each input array
   @reset($test);
   while (list($input,) = @each($test))
   {
      while (list($var,) = @each($$input))
      {
         // Validate the variable to be unset
         if (!isset($test[$var]) && $var != 'test' && $var != 'input')
         {
            unset($$var);
         }
      }
   }
}
else if (@ini_get('register_globals') == '1' || strtolower(@ini_get('register_globals')) == 'on')
{
   // PHP4+ path
   
   // Not only will array_merge give a warning if a parameter
   // is not an array, it will actually fail. So we check if
   // HTTP_SESSION_VARS has been initialised.
   if (!isset($HTTP_SESSION_VARS))
   {
      $HTTP_SESSION_VARS = array();
   }

   // Merge all into one extremely huge array; unset
   // this later
   $input = array_merge($HTTP_GET_VARS, $HTTP_POST_VARS, $HTTP_COOKIE_VARS, $HTTP_SERVER_VARS, $HTTP_SESSION_VARS, $HTTP_ENV_VARS, $HTTP_POST_FILES);

   unset($input['input']);
   
   while (list($var,) = @each($input))
   {
      unset($$var);
   }
   
   unset($input);
}
groupcp.php
FIND
Code:
            $username = ( isset($HTTP_POST_VARS['username']) ) ? htmlspecialchars($HTTP_POST_VARS['username']) : '';
REPLACE WITH
Code:
            $username = ( isset($HTTP_POST_VARS['username']) ) ? phpbb_clean_username($HTTP_POST_VARS['username']) : '';
login.php
FIND
Code:
      $username = isset($HTTP_POST_VARS['username']) ? trim(htmlspecialchars($HTTP_POST_VARS['username'])) : '';
      $username = substr(str_replace("\\'", "'", $username), 0, 25);
      $username = str_replace("'", "\\'", $username);
REPLACE WITH
Code:
      $username = isset($HTTP_POST_VARS['username']) ? phpbb_clean_username($HTTP_POST_VARS['username']) : '';
privmsg.php
FIND
Code:
         $to_username = $HTTP_POST_VARS['username'];
REPLACE WITH
Code:
         $to_username = phpbb_clean_username($HTTP_POST_VARS['username']);
FIND
Code:
      $to_username = ( isset($HTTP_POST_VARS['username']) ) ? trim(strip_tags(stripslashes($HTTP_POST_VARS['username']))) : '';
REPLACE WITH
Code:
      $to_username = (isset($HTTP_POST_VARS['username']) ) ? trim(htmlspecialchars(stripslashes($HTTP_POST_VARS['username']))) : '';
FIND
Code:
      'USERNAME' => preg_replace($html_entities_match, $html_entities_replace, $to_username),
REPLACE WITH
Code:
      'USERNAME' => $to_username,
profile.php
FIND
Code:
      include($phpbb_root_path . 'includes/usercp_register.'.$phpEx);
      exit;
   }
AFTER, ADD
Code:
   else if ( $mode == 'confirm' )
   {
      // Visual Confirmation
      if ( $userdata['session_logged_in'] )
      {
         exit;
      }

      include($phpbb_root_path . 'includes/usercp_confirm.'.$phpEx);
      exit;
   }
search.php
FIND
Code:
   $search_author = htmlspecialchars($search_author);
REPLACE WITH
Code:
   $search_author = phpbb_clean_username($search_author);
viewtopic.php
FIND
Code:
   $words = explode(' ', trim(htmlspecialchars(urldecode($HTTP_GET_VARS['highlight']))));
REPLACE WITH
Code:
   $words = explode(' ', trim(htmlspecialchars($HTTP_GET_VARS['highlight'])));
includes/constants.php
FIND
Code:
// Table names
AFTER, ADD
Code:
define('CONFIRM_TABLE', $table_prefix.'confirm');
includes/functions.php
FIND
Code:
//
// Get Userdata, $user can be username or user_id. If force_str is true, the username will be forced.
//
BEFORE, ADD
Code:
// added at phpBB 2.0.11 to properly format the username
function phpbb_clean_username($username)
{
   $username = htmlspecialchars(rtrim(trim($username), "\\"));
   $username = substr(str_replace("\\'", "'", $username), 0, 25);
   $username = str_replace("'", "\\'", $username);

   return $username;
}
FIND
Code:
      $user = trim(htmlspecialchars($user));
      $user = substr(str_replace("\\'", "'", $user), 0, 25);
      $user = str_replace("'", "\\'", $user);
REPLACE WITH
Code:
      $user = phpbb_clean_username($user);
includes/functions_post.php
FIND
Code:
      $username = trim(strip_tags($username));
REPLACE WITH
Code:
      $username = phpbb_clean_username($username);
includes/functions_search.php
FIND
Code:
      $username_search = preg_replace('/\*/', '%', trim(strip_tags($search_match)));
REPLACE WITH
Code:
      $username_search = preg_replace('/\*/', '%', phpbb_clean_username($search_match));
FIND
Code:
      'USERNAME' => ( !empty($search_match) ) ? strip_tags($search_match) : '',
REPLACE WITH
Code:
      'USERNAME' => (!empty($search_match)) ? phpbb_clean_username($search_match) : '',
includes/topic_review.php
FIND
Code:
      if ( !isset($topic_id) )
      {
         message_die(GENERAL_MESSAGE, 'Topic_not_exist');
      }
REPLACE WITH
Code:
      if ( !isset($topic_id) || !$topic_id)
      {
         message_die(GENERAL_MESSAGE, 'Topic_post_not_exist');
      }
includes/usercp_register.php
FIND
Code:
if ( !defined('IN_PHPBB') )
{
   die("Hacking attempt");
BEFORE, ADD
Code:
/*

   This code has been modified from its original form by psoTFX @ phpbb.com
   Changes introduce the back-ported phpBB 2.2 visual confirmation code.

   NOTE: Anyone using the modified code contained within this script MUST include
   a relevant message such as this in usercp_register.php ... failure to do so
   will affect a breach of Section 2a of the GPL and our copyright

   png visual confirmation system : (c) phpBB Group, 2003 : All Rights Reserved

*/
FIND
Code:
   $strip_var_list = array('username' => 'username', 'email' => 'email', 'icq' => 'icq', 'aim' => 'aim', 'msn' => 'msn', 'yim' => 'yim', 'website' => 'website', 'location' => 'location', 'occupation' => 'occupation', 'interests' => 'interests');
AFTER, ADD
Code:
   $strip_var_list['confirm_code'] = 'confirm_code';
FIND
Code:
   $passwd_sql = '';
   if ( !empty($new_password) && !empty($password_confirm) )
BEFORE, ADD
Code:
   if ($board_config['enable_confirm'] && $mode == 'register')
   {
      if (empty($HTTP_POST_VARS['confirm_id']))
      {
         $error = TRUE;
         $error_msg .= ( ( isset($error_msg) ) ? '<br />' : '' ) . $lang['Confirm_code_wrong'];
      }
      else
      {
         $confirm_id = htmlspecialchars($HTTP_POST_VARS['confirm_id']);
         if (!preg_match('/^[A-Za-z0-9]+$/', $confirm_id))
         {
            $confirm_id = '';
         }
         
         $sql = 'SELECT code
            FROM ' . CONFIRM_TABLE . "
            WHERE confirm_id = '$confirm_id'
               AND session_id = '" . $userdata['session_id'] . "'";
         if (!($result = $db->sql_query($sql)))
         {
            message_die(GENERAL_ERROR, 'Could not obtain confirmation code', __LINE__, __FILE__, $sql);
         }

         if ($row = $db->sql_fetchrow($result))
         {
            if ($row['code'] != $confirm_code)
            {
               $error = TRUE;
               $error_msg .= ( ( isset($error_msg) ) ? '<br />' : '' ) . $lang['Confirm_code_wrong'];
            }
            else
            {
               $sql = 'DELETE FROM ' . CONFIRM_TABLE . "
                  WHERE confirm_id = '$confirm_id'
                     AND session_id = '" . $userdata['session_id'] . "'";
               if (!$db->sql_query($sql))
               {
                  message_die(GENERAL_ERROR, 'Could not delete confirmation code', __LINE__, __FILE__, $sql);
               }
            }
         }
         else
         {      
            $error = TRUE;
            $error_msg .= ( ( isset($error_msg) ) ? '<br />' : '' ) . $lang['Confirm_code_wrong'];
         }
         $db->sql_freeresult($result);
      }
   }
FIND
Code:
      $template->assign_block_vars('switch_namechange_disallowed', array());
   }
AFTER, ADD
Code:
   // Visual Confirmation
   $confirm_image = '';
   if (!empty($board_config['enable_confirm']) && $mode == 'register')
   {
      $sql = 'SELECT session_id
         FROM ' . SESSIONS_TABLE;
      if (!($result = $db->sql_query($sql)))
      {
         message_die(GENERAL_ERROR, 'Could not select session data', '', __LINE__, __FILE__, $sql);
      }

      if ($row = $db->sql_fetchrow($result))
      {
         $confirm_sql = '';
         do
         {
            $confirm_sql .= (($confirm_sql != '') ? ', ' : '') . "'" . $row['session_id'] . "'";
         }
         while ($row = $db->sql_fetchrow($result));
      
         $sql = 'DELETE FROM ' .  CONFIRM_TABLE . "
            WHERE session_id NOT IN ($confirm_sql)";
         if (!$db->sql_query($sql))
         {
            message_die(GENERAL_ERROR, 'Could not delete stale confirm data', '', __LINE__, __FILE__, $sql);
         }
      }
      $db->sql_freeresult($result);

      $sql = 'SELECT COUNT(session_id) AS attempts
         FROM ' . CONFIRM_TABLE . "
         WHERE session_id = '" . $userdata['session_id'] . "'";
      if (!($result = $db->sql_query($sql)))
      {
         message_die(GENERAL_ERROR, 'Could not obtain confirm code count', '', __LINE__, __FILE__, $sql);
      }

      if ($row = $db->sql_fetchrow($result))
      {
         if ($row['attempts'] > 3)
         {
            message_die(GENERAL_MESSAGE, $lang['Too_many_registers']);
         }
      }
      $db->sql_freeresult($result);
      
      $confirm_chars = array('A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J',  'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T',  'U', 'V', 'W', 'X', 'Y', 'Z', '1', '2', '3', '4', '5', '6', '7', '8', '9');

      list($usec, $sec) = explode(' ', microtime());
      mt_srand($sec * $usec);

      $max_chars = count($confirm_chars) - 1;
      $code = '';
      for ($i = 0; $i < 6; $i++)
      {
         $code .= $confirm_chars[mt_rand(0, $max_chars)];
      }

      $confirm_id = md5(uniqid($user_ip));

      $sql = 'INSERT INTO ' . CONFIRM_TABLE . " (confirm_id, session_id, code)
         VALUES ('$confirm_id', '". $userdata['session_id'] . "', '$code')";
      if (!$db->sql_query($sql))
      {
         message_die(GENERAL_ERROR, 'Could not insert new confirm code information', '', __LINE__, __FILE__, $sql);
      }

      unset($code);
      
      $confirm_image = (@extension_loaded('zlib')) ? '<img src="' . append_sid("profile.$phpEx?mode=confirm&amp;id=$confirm_id") . '" alt="" title="" />' : '<img src="' . append_sid("profile.$phpEx?mode=confirm&amp;id=$confirm_id&amp;c=1") . '" alt="" title="" /><img src="' . append_sid("profile.$phpEx?mode=confirm&amp;id=$confirm_id&amp;c=2") . '" alt="" title="" /><img src="' . append_sid("profile.$phpEx?mode=confirm&amp;id=$confirm_id&amp;c=3") . '" alt="" title="" /><img src="' . append_sid("profile.$phpEx?mode=confirm&amp;id=$confirm_id&amp;c=4") . '" alt="" title="" /><img src="' . append_sid("profile.$phpEx?mode=confirm&amp;id=$confirm_id&amp;c=5") . '" alt="" title="" /><img src="' . append_sid("profile.$phpEx?mode=confirm&amp;id=$confirm_id&amp;c=6") . '" alt="" title="" />';
      $s_hidden_fields .= '<input type="hidden" name="confirm_id" value="' . $confirm_id . '" />';

      $template->assign_block_vars('switch_confirm', array());
   }
FIND
Code:
      'EMAIL' => $email,
AFTER, ADD
Code:
      'CONFIRM_IMG' => $confirm_image,
FIND
Code:
      'L_EMAIL_ADDRESS' => $lang['Email_address'],
AFTER, ADD
Code:

      'L_CONFIRM_CODE_IMPAIRED'   => sprintf($lang['Confirm_code_impaired'], '<a href="mailto:' . $board_config['board_email'] . '">', '</a>'),
      'L_CONFIRM_CODE'         => $lang['Confirm_code'],
      'L_CONFIRM_CODE_EXPLAIN'   => $lang['Confirm_code_explain'],
includes/usercp_sendpasswd.php
FIND
Code:
   $username = ( !empty($HTTP_POST_VARS['username']) ) ? trim(strip_tags($HTTP_POST_VARS['username'])) : '';
REPLACE WITH
Code:
   $username = ( !empty($HTTP_POST_VARS['username']) ) ? phpbb_clean_username($HTTP_POST_VARS['username']) : '';
includes/usercp_viewprofile.php
FIND
Code:
include($phpbb_root_path . 'includes/page_header.'.$phpEx);
AFTER, ADD
Code:
if (function_exists('get_html_translation_table'))
{
   $u_search_author = urlencode(strtr($profiledata['username'], array_flip(get_html_translation_table(HTML_ENTITIES))));
}
else
{
   $u_search_author = urlencode(str_replace(array('&amp;', '&#039;', '&quot;', '&lt;', '&gt;'), array('&', "'", '"', '<', '>'), $profiledata['username']));
}
FIND
Code:
   'U_SEARCH_USER' => append_sid("search.$phpEx?search_author=" . urlencode($profiledata['username'])),
REPLACE WITH
Code:
   'U_SEARCH_USER' => append_sid("search.$phpEx?search_author=" . $u_search_author),
templates/subSilver/admin/board_config_body.tpl
FIND
Code:
      <td class="row2"><input type="radio" name="require_activation" value="{ACTIVATION_NONE}" {ACTIVATION_NONE_CHECKED} />{L_NONE}&nbsp; &nbsp;<input type="radio" name="require_activation" value="{ACTIVATION_USER}" {ACTIVATION_USER_CHECKED} />{L_USER}&nbsp; &nbsp;<input type="radio" name="require_activation" value="{ACTIVATION_ADMIN}" {ACTIVATION_ADMIN_CHECKED} />{L_ADMIN}</td>
   </tr>
   <tr>
AFTER, ADD
Code:
      <td class="row1">{L_VISUAL_CONFIRM}<br /><span class="gensmall">{L_VISUAL_CONFIRM_EXPLAIN}</span></td>
      <td class="row2"><input type="radio" name="enable_confirm" value="1" {CONFIRM_ENABLE} />{L_YES}&nbsp; &nbsp;<input type="radio" name="enable_confirm" value="0" {CONFIRM_DISABLE} />{L_NO}</td>
   </tr>
   <tr>
The following changes were introduced in earlier versions of phpBB. In those versions these edits were optional because they were a part of the optional visual confirmation system. Since the visual confirmation has become a default phpBB feature in 2.0.11, these changes are now required. They have been included here for those that may not have installed the changes earlier or have a template or language pack that lacks similar code to support the new visual confirmation system.
language/lang_english/lang_main.php
FIND
Code:
//
// That's all, Folks!
// -------------------------------------------------
BEFORE, ADD
Code:
$lang['Confirm_code_wrong'] = 'The confirmation code you entered was incorrect';
$lang['Too_many_registers'] = 'You have exceeded the number of registration attempts for this session. Please try again later.';
$lang['Confirm_code_impaired'] = 'If you are visually impaired or cannot otherwise read this code please contact the %sAdministrator%s for help.';
$lang['Confirm_code'] = 'Confirmation code';
$lang['Confirm_code_explain'] = 'Enter the code exactly as you see it. The code is case sensitive and zero has a diagonal line through it.';
language/lang_english/lang_admin.php
FIND
Code:
//
// That's all Folks!
// -------------------------------------------------
BEFORE, ADD
Code:
$lang['Visual_confirm'] = 'Enable Visual Confirmation';
$lang['Visual_confirm_explain'] = 'Requires users enter a code defined by an image when registering.';
templates/subSilver/profile_add_body.tpl
FIND
Code:
   <tr>
     <td class="row1"><span class="gen">{L_CONFIRM_PASSWORD}: * </span><br />
      <span class="gensmall">{L_PASSWORD_CONFIRM_IF_CHANGED}</span></td>
     <td class="row2">
      <input type="password" class="post" style="width: 200px" name="password_confirm" size="25" maxlength="32" value="{PASSWORD_CONFIRM}" />
     </td>
   </tr>
AFTER, ADD
Code:
   <!-- Visual Confirmation -->
   <!-- BEGIN switch_confirm -->
   <tr>
      <td class="row1" colspan="2" align="center"><span class="gensmall">{L_CONFIRM_CODE_IMPAIRED}</span><br /><br />{CONFIRM_IMG}<br /><br /></td>
   </tr>
   <tr>
     <td class="row1"><span class="gen">{L_CONFIRM_CODE}: * </span><br /><span class="gensmall">{L_CONFIRM_CODE_EXPLAIN}</span></td>
     <td class="row2"><input type="text" class="post" style="width: 200px" name="confirm_code" size="6" maxlength="6" value="" /></td>
   </tr>
   <!-- END switch_confirm -->
Code from phpBB 2.0.10 and 2.0.11 is copyright by the phpBB Group. Find these and other code changes at phpBBHacks.com.
Compiled by your friendly neighborhood Thoul from the phpBB 2.0.7 - 2.0.11 files.