1 arjay Jul 13, 2008 09:19
3 arjay Jul 13, 2008 20:01
Thanks for the detailed reply. Yes, my bad - I didn't really mean a security issue. Of course, what I meant was that a bot or spammer or whatever could fire off spam to anyone who had an email icon next to their entries - I didn't explain very well.
I am reassured by your other points. I did not know it was possible to turn off the "contact me" aspect - though on thinking about it, yes, of course, I could remove the option from the skin.
That's good enough for me :lol:
Richard
4 yabba Jul 13, 2008 20:04
Personally, I also killed the contact ability in htsrv/summat.php ... if the destination isn't user 1 then you get told to shove your nokia up your valium dilated arse whilst timing the process with your genuine replica rolex ;)
Technically incorrect, if you hit htsrv folder on my server you don't even get a chance to time yerself ... try pastel-palace/summat.php if you wish to get a chance to use your crap watch ;)
¥
5 arjay Jul 14, 2008 11:08
Boy - some knowledge gap here. I have absolutely NO idea what you are talking about. Caveman means advanced alien or what. :-/
I must say that I am struggling with the combination of php files and widgets. I have designed one website before, where I wrote pretty well all the css/html myself from first principles (i.e. no design software). I even had a bit of java in there (slideshow) and for goodness sake even a bit of php (captcha and the like).
So when I do my second site I think - hmmm I might try a blog here - can't be that difficult. :lol: I look in my hosts repos and find that "all" they have is b2evo - so I think "Give this a go". Blimey. Thinking I am clever, the first thing I do is hit View Source - that will tell me where everything is, and there it was in all its glory - HTML everything. Er, no. What it was, was about 30-40 php files some even calling each other in a fine old merry-go-round.
Then I find something called widgets - well to be more precise I spend a day trying to find where a particular widget is hiding so that I can change something. Now, it seems to me that for widgets to work the way you want them to, either you have to have some serious knowledge and experience of php and widgetology, or you have to be a complete dumbo who just sticks one in and never feels the need to change anything.
Is there, somewhere, a list of all the php files and what each one does - that sure would help us newbies? I am fine with css.style and index.main.php but the rest is still pretty much a mystery.
Here is one example: When someone clicks on any category other than ALL in my sidebar, the result is a great big heading printed out above the first post - completely buggering up my carefully lined up material, including a slideshow running above the posts. OK, so something probably needs changing in css to stop everything above this category title from being pushed up.
But for the moment, what I want to do is TURN OFF the appearance of this title. The question is where is it being generated? I can fiddle around opening every php file that sounds as if it has something to do with Sidebar. Searching for the content of files using Nautilus is a waste of time (might have to install Konqueror which did this easily enough). It is taking me HOURS just to do the simplest thing. It is only a blog for goodness sake - I have the rest of the website to stitch together!
Well I've rambled on enough - you get my drift - I am sure.
6 yabba Jul 14, 2008 11:40
Ok, let me try and explain what I mean :
conf/_advanced.php ( approx 418 ) dictates the name and location of your "htsrv" folder. I renamed mine to "pastel-palace" and amended the setting to suit :
/**
* Location of the HTml SeRVices folder.
*
* Note: This folder NEEDS to by accessible through HTTP.
*
* @global string $htsrv_subdir
*/
$htsrv_subdir = 'pastel-palace/'; // Subdirectory relative to base
$htsrv_path = $basepath.$htsrv_subdir; // You should not need to change this
$htsrv_url = $baseurl.$htsrv_subdir; // You should not need to change this
This slows down the spammers as they first need to find my folder ( not rocket science for them ). At the same time I redirect all hits to "/htsrv/" to an IP banning script that I run ... you'd be amazed how many dumb arse spammers it catches ;)
To limit all "emails" to just the admin user I also cracked open /htsrv[now called pastel-palace]/message_send.php ( approx line 107 ) and added a check for the user ID being 1 ( ie/ just me )
// Getting GET or POST parameters:
param( 'blog', 'integer', '' );
param( 'recipient_id', 'integer', '' );
if( $recipient_id != 1 )
{ // kill the arse
$SpamHound->ban_ip();
}
Just replace the $SpamHound bit with :
die( 'Sorry, that user doesn\'t wish to be contacted right now' );
To stop the contact links being shown ( even if user / visitor ticks "yeah let them spam me" ) I removed this section of code from my version of _item_comment.inc.php ( approx 53 )
$Comment->msgform_link( $Blog->get('msgformurl') );
About the only place I know where you can find a list of all the files is in the [url=http://doc.b2evolution.net/v-2-4/]docs[/url], but I find it easier to read code than read docs so I usually just crack open the files .... helped by the fact that I've been using evo for a tad now.
The "bloody big title" is generated by this section of code in /skins/[skin]/index.main.php ... and probably single.main.php and posts.main.php. It's one of the first things I kill when redoing my skin
<?php
// ------------------------ TITLE FOR THE CURRENT REQUEST ------------------------
request_title( array(
'title_before'=> '<h2>',
'title_after' => '</h2>',
'title_none' => '',
'glue' => ' - ',
'title_single_disp' => true,
'format' => 'htmlbody',
) );
// ----------------------------- END OF REQUEST TITLE ----------------------------
?>
Widgets are a tad tougher, most of the core widgets live in inc/widgets/widgets/_various_widget_files.php .. although some of them have their content generated in inc/widgets/model/_widget.class.php. The rest live in your plugins folder and all 3rd party ones live in your plugins folder.
We have tried to make sure that all the core widgets have a load of params so that you can change what they do on their settings page ( admin > blog settings > [blog ] > widgets > [widget] ), but if you feel more are needed then just holler ;)
Once you've played around for a while things become easier, in the meantime feel free to bug us with "where the hell do I find this?" style of questions ;)
¥
7 arjay Jul 14, 2008 12:44
Thanks for such a detailed and helpful reply. Patient, courteous, knowledgeable - yugh I hate perfect people.
Seriously - I am most grateful and will try out your suggestions. I had already renamed the htsrv folder. Now I am off to hack my php files about.
Regards
Richard
8 yabba Jul 14, 2008 12:47
You'll be pleased to know that I have a squint and walk with a limp ....
Kidding, I really am perfect :roll:
¥
9 arjay Jul 14, 2008 13:04
Hey Quasimodo
Quick update. I removed the offending bit of code:
<?php
// ------------------------ TITLE FOR THE CURRENT REQUEST ------------------------
request_title( array(
'title_before'=> '<h2>',
'title_after' => '</h2>',
'title_none' => '',
'glue' => ' - ',
'title_single_disp' => true,
'format' => 'htmlbody',
) );
// ----------------------------- END OF REQUEST TITLE ----------------------------
?>
and it works fine. Now, no titles and my beautifully crafted page (if I say so myself) remains just as intended.
Cheers pal
10 yabba Jul 14, 2008 13:05
No problem ;)
¥
11 edb Jul 14, 2008 17:00
Hey here's a thought unrequested: Figure out in your mind how much time you spent learning everything it took to learn how to do a 20th century web page (html + css) and how many mistakes you made along the way and how much your knowledge grew as you worked through those mistakes, then just click on stuff in your blog's back office until things start to make sense again.
Widgets are no problem - just click on them. Read whatever they have to say, determine in your mind how that *should* change what's on the page, click stuff, then see how the page actually changed. AFTER you have a feel for how the whole show works then go tinkering under the hood tuning stuff up.
Except the skins. In your /skins/yourskin/ folder you have some files. Those files pretty much dictate what will be where on the page, so read through the comments about what's what and give an eye to the names of various "php bits" and get a feel for what does what - then tinker straight away. For example "request_title" certainly does sound like something is requesting a title eh? And "title_before" and "title_after" sorta sound like (heck they even look like) things that would go before and after a title, so play with 'em.
One thing I did that I think is still in my blog was to tell it "okay each bit in this container is going to get a class that matches the name of the bit". So like if it had a <li> in the bit called "something_group_before_after" I made it be <li class="something_group_before_after"> just so I could view source to figure out EXACTLY which bit ended up where. Now I know but heck I don't really care that much so I don't do anything with it ... but I know is the thing and can play with it in detail if I want to.
So anyway just click on stuff. You weren't born able to do html+css so don't sweat it if a million php files seems a bit ... wrong. It all works so just get to know it and then get inside it.
12 yabba Jul 14, 2008 18:07
EdB wrote:
You weren't born able to do html+css
You weren't? :O:O
I mean,we aren't :O:O .... of course :|
¥
13 arjay Jul 14, 2008 18:36
Wise words EdB. And I have taken them on board - believe me. Not sure if it is my clicking finger or my brain that hurts the most. :lol: I must say that I found it very reassuring to be able to edit the html or css in "real time" with web developer and watch as whole bits of text jumped around the screen - great fun. Your post seemed to suggest that I could do the same with php. I haven't figured out how. At the moment, I am opening the files either on my local server, changing them and uploading to see the effect, or trying basically the same things through the backoffice function. Still seems more labour intensive but maybe I am missing something.
However, there is one crucial difference between my first and second websites. The first was just an effort to teach myself css/html and produce a "not-for-profit" website for my car club. No great pressure, anything was going to be better than nothing, and lots of fun was had on the way. I actually had two monitors hooked up with the developing webpage on one and my css, html, and sql manuals on the other.
This time round, though, things are a bit different. I am designing what I hope will be a very successful commercial site. It is a very ambitious program with much more content - possibly a bit too much for me. What I might have to do is upload most of the site and get the basics running - with the blog, forum etc to come later.
Don't get me wrong, I have not lost my appetite for discovery and I am going to beat this here php thing or die trying. But I want to get it done reasonably quickly - need some money and don't want to lose any competitive advantage I may have. Did consider paying someone to do some of the dev work but I just haven't got it in me to give someone money for something that I might well be able to do myself. Not, anyway, until i have some revenue to pay them out of. I am retired and would have to pay out of savings rather than income. Strange feeling at first - if you are not there yet, wait until you see what I mean :roll:
Talking of paying -no, not money - I must pay ya'all a great compliment for the friendliness and high level of technical support you hand out all day long and half the night too by the look of it. Full of admiration for you.
Now, must be off to see what the next php file does if I delete half of it :lol:
14 yabba Jul 14, 2008 19:15
arjay wrote:
I actually had two monitors hooked up
yah see .. that's where you lost it to ( the perfect ) [url=http://www.google.co.uk/search?hl=en&q=whipper-snapper&btnG=Google+Search&meta=]whipper-snappers[/url] like me .... ok, ok, I was a whipper-snapper in my heyday huh? .... sheesh, make allowances for the ageing process :p
Most editors will allow you to edit remote files ( even php ), just try entering "hello worlds" in various places and pressing refresh ... you'll giggle like a bitch when you first see an expected result ..... if yer a real geek you'll giggle like a bitch when you see an unexpected result as well ;)
The good news is that EdB will be glowing inside knowing that there's another of the silver surfers in the forums :D
¥
15 edb Jul 15, 2008 00:42
WAMP or maybe WAMPP or WAMMP or something like that. Install it on your computer, "upload" b2evolution to it, run it like your PC was a server. Find a thread in the chat forum here that talks about making it actually work.
16 arjay Jul 15, 2008 09:31
EdB - I run linux on all my PCs - I only have Windows on one test machine where I can make sure that my prototype website will run OK in strange software like IE6 and 7. But I have got LAMP (Linux version of WAMP I presume) working fine on my local server. As you say, it is great for being able to mess about with things before uploading to the actual host's server.
I am probably teaching a few grandmothers to suck eggs here, but for what it is worth - there are a couple of things to watch out for, for anyone who wants to do the same thing. First, it is easy to get into file pointing problems since addresses on a local server often don't completely correspond to what you want when you actually get on line. A lot of stuff points to http://localhost or whatever, not http://www.myfinalsite.net. This can play havoc with things like menu links. So you may have to change a lot of these just before uploading.
The other thing I found was that my ISP does not always have the latest version of some software - Coppermine and PhpBB come to mind. It helps to run the same versions on your PC as you will find when the site goes to the ISP's server.
BTW - something else that you can't really do on your local server, is test some real world stuff like having someone send you test posts and comments to check out stuff coming from other ip addresses and so on.
Oh, one other thing springs to mind. I made some changes to files on my PC like php.ini, forgetting that this file is not accessible on my ISP's shared server, for obvious reasons. I had to ask the ISP (wonderfully understanding guys at netpivotal.co.uk) to initiate those changes for me.
What I would actually recommend for someone who wants to go down this road is first to set up LAMP/WAMP on a local PC. Mess about with everything to your heart's content. When you have about 50% understanding of what you are doing (reckon I am about there now) and have a rough set of pages together, upload what you have to a password-protected directory on the ISP's server. This is where I am at now.
That way, I am not embarrassed by people I don't know, looking at my rather thin pages and silly mistakes. I also don't get Google and the rest indexing pages that probably won't be in that form when the site goes live.
I have given the address and password to a few select people who will only say bad things in a nice way :lol: - maybe even you folks when the time comes (hey steady on, get real).
Regards from sunny Spain
RJ
Well it is not an email link so it's not as ugly as an email link, meaning bots can not harvest an email address from it. It links to a form that has some native antispam measures and can be enhanced with plugins. Also each link goes to an author - not every poster, which is slightly different from "that accesses the blog can send an email to every poster".
Technically speaking, a bot can be written to handle every situation. EVERY situation including captcha-protected interaction. Well, not every situation because I honestly believe my TuringTest is bot-proof. So to your question of can bots respond: probably but I don't think any bot-authors have bothered to write a bot specifically focused on b2evolution's form field names. By the way I am probably completely wrong because for them there is money in it - but most don't focus on details like they should.
By the way I'm fairly certain two things can address this without a plugin. First your bloggers can turn off the 'contact me' feature. If that is not the case for the email icon associated with each post, then for sure you can edit the skin you're using to not have that particular bit in it.
So to summarize: bots can be written to attack b2evolution message forms, but I don't think they have but wouldn't be surprised if they have. You can protect against this with TuringTest, or maybe by turning off the contact me feature, and most certainly by removing the icon from your skin.
By the way in no way shape or form is this a "security" issue. Your blog passwords are not compromised, nor is your server at risk, and no one will have their email address exposed. Plus "I got spam" is certainly not a security issue!