Re: phpBB3 Release Candidate 1 (RC1) Released
Oooh ayy!... the phpbb webste finally looks decent!
One thing that suprises me about phpbb3 is that it doesn't look like they've done much to improve security, or rather to adopt a better standard of programming practice. In particular what I'm referring to is the includes library - using the .php file extension on function files which are only ever meant to be included, never called directly. As we know from the past, any mods that add files or changes to the includes directory, and which do not declare variables properly, can then be executed, with values being parsed to a variable, opening the way for remote file inclusions. Simply by changing the extension of files in includes from .php to something like .lib - e.g. functions.lib, would then mean that the files can never be executed directly (unless a suicidal admin changed the extension settings in his php server!). And after all, calling them something like .lib is more appropriate to their purpose - as libraries of functions, rather than something to be executed, just as this is the standard practice of file naming in C++. In fact it is just general common sense!