Stay away from old PHP Software

I am building a small fan website (using Wordpress 3.0) and I wanted to add forums to it.

My hosting provider is Windows based (IIS 7.0) and I've had some problems in the past regarding server configuration (mostly regarding $_SERVER['DOCUMENT_ROOT'] and the ‘./' root physical paths), but until the company was absorbed by another hosting provider they were very kind and fixed everything for me, or I was able to fix it myself.

I tried PHPBB 3.0 software, and had so many problems that I dismissed it for the old PHPBB 2.X (there's apparently an unofficial group maintaining it), a version that I know from the past and now that I'm proficient on PHP I could tune-up.

I installed it, hacked it to be able to setup a Google Apps for Domain email (added support for HTTPS mail authenticatio), setup the typical user email activation and days after I started getting spam bots registered.

I added Recaptcha and yet the bots were able to bypass it.

I added a custom human question very hard to answer (choose one option, random position of both correct and incorrect answers, etc.) and fully done from scratch by myself. Still no luck.

I modified some url parameters, variable and POST field names, and yet they enter.

Today I spent a few hours reading about the topic, and seems that PHPBB 2.X is so full of flaws that nobody knows how work, that there's no silver-bullet to properly fix it, just a couple of mods, hacks and code changes that do not guarantee anything.

So I'll probably just remove the forum and install something that actually works, probably SMF, which also gave me some problems related to some hosting/windows PHP issue, but that at least looks worth my time because they are built more properly.

Checking the internals of PHPBB 2 sometimes almost made me puke of how badly it is coded. Back in 2001-2002, when I built La Web de Programación as an independant website, I built my own ASP 3.0 forums from scratch, and although the code looks crap to me now, it already was much better than what I've seen.

I haven't checked in-deep PHPBB 3 sources, but I''m going to stay away from it because not fixing flaws of a software still used on quite some places worries me. This spam bots are fully bypassing the registration process and the creators didn't cared to search and fix the problem, so what will happen in the future? More holes and a mandatory 4.0 version? More non-Linux hosting issues? No thanks, I have better things to do.

And I've read that the same happens to other software such as PHPNuke, with many people complaining about hacked websites because of using it.

So the lesson learned here is clear: Stay away from old PHP frameworks/software, not because they might not be fast enough or support AJAX, but because they will surely be full of security holes.

This is the legacy that PHP leaves often, bad developers creating bad software and not knowing how to fix it properly.

Posted by Kartones on 2011-01-09

Comments?

Share via: Twitter Linkedin Google+ Facebook