phpBB 2.0.6 to 2.0.7 Code Changes

These are the code changes introduced between phpBB 2.0.6 and phpBB 2.0.7. If you have installed many hacks on a forum, but wish to update it, these may help you. It is often easier to apply code changes such as these instead of replacing and rehacking your current files.

There were several security updates made to phpBB 2.0.6 after it's initial release. The last version of phpBB 2.0.6, called 2.0.6d, included all of those changes and was released shortly before 2.0.7. phpBB 2.0.7 includes all of these changes and a few new ones. Since these are the code changes from 2.0.6 to 2.0.7, all the changes are listed here.

These code changes use the following instruction labels:
FIND - This indicates lines of code you should locate. Changes will be made in reference to this code.
REPLACE WITH - This code should completely replace the code in the preceding FIND instruction.
AFTER, ADD - The code in this instruction should be added on a new line after last line of code in the preceding FIND instruction.
FIND AND DELETE - Locate the code in this instruction as with a FIND statement, and then delete the code.

Once you have completed the code changes, create an install/ directory in your forum's root directory, and upload the update_to_207.php file that comes in any phpBB 2.0.7 download to the install/ directory. Run update_to_207.php by opening it via your web browser, just as you would a normal forum page. Afterward, deleting the file and the install/ directory so that your forum is accessible again.

Now, onward to the file changes!

includes/page_header.php
Although this file is included in the changed files package from phpBB.com, there are no significant changes in the file. Only the $Id line near the top has changed. You do not need to edit or replace this file.
groupcp.php
FIND
Code:
   $mode = ( isset($HTTP_POST_VARS['mode']) ) ? $HTTP_POST_VARS['mode'] : $HTTP_GET_VARS['mode'];
AFTER, ADD
Code:
   $mode = htmlspecialchars($mode);
FIND
Code:
                  $sql_in .= ( ( $sql_in != '' ) ? ', ' : '' ) . $members[$i];
REPLACE WITH
Code:
                  $sql_in .= ( ( $sql_in != '' ) ? ', ' : '' ) . intval($members[$i]);
index.php
FIND
Code:
if( !($result = $db->sql_query($sql)) )
{
   message_die(GENERAL_ERROR, 'Could not query categories list', '', __LINE__, __FILE__, $sql);
}

while( $category_rows[] = $db->sql_fetchrow($result) );
AFTER, ADD
Code:
$db->sql_freeresult($result);
FIND
Code:
   while( $row = $db->sql_fetchrow($result) )
   {
      $forum_data[] = $row;
   }
AFTER, ADD
Code:
   $db->sql_freeresult($result);
FIND
Code:
      while( $topic_data = $db->sql_fetchrow($result) )
      {
         $new_topic_data[$topic_data['forum_id']][$topic_data['topic_id']] = $topic_data['post_time'];
      }
AFTER, ADD
Code:
      $db->sql_freeresult($result);
FIND
Code:
   while( $row = $db->sql_fetchrow($result) )
   {
      $forum_moderators[$row['forum_id']][] = '<a href="' . append_sid("profile.$phpEx?mode=viewprofile&amp;" . POST_USERS_URL . "=" . $row['user_id']) . '">' . $row['username'] . '</a>';
   }
AFTER, ADD
Code:
   $db->sql_freeresult($result);
FIND
Code:
   while( $row = $db->sql_fetchrow($result) )
   {
      $forum_moderators[$row['forum_id']][] = '<a href="' . append_sid("groupcp.$phpEx?" . POST_GROUPS_URL . "=" . $row['group_id']) . '">' . $row['group_name'] . '</a>';
   }
AFTER, ADD
Code:
   $db->sql_freeresult($result);
login.php
FIND
Code:
               if( $session_id )
               {
                  $url = ( !empty($HTTP_POST_VARS['redirect']) ) ? $HTTP_POST_VARS['redirect'] : "index.$phpEx";
                  redirect(append_sid($url, true));
               }
REPLACE WITH
Code:
               if( $session_id )
               {
                  $url = ( !empty($HTTP_POST_VARS['redirect']) ) ? htmlspecialchars($HTTP_POST_VARS['redirect']) : "index.$phpEx";
                  redirect(append_sid($url, true));
               }
FIND
Code:
            else
            {
               $redirect = ( !empty($HTTP_POST_VARS['redirect']) ) ? $HTTP_POST_VARS['redirect'] : '';
               $redirect = str_replace('?', '&', $redirect);

               $template->assign_vars(array(
REPLACE WITH
Code:
            else
            {
               $redirect = ( !empty($HTTP_POST_VARS['redirect']) ) ? htmlspecialchars($HTTP_POST_VARS['redirect']) : '';
               $redirect = str_replace('?', '&', $redirect);

               $template->assign_vars(array(
FIND
Code:
      else
      {
         $redirect = ( !empty($HTTP_POST_VARS['redirect']) ) ? $HTTP_POST_VARS['redirect'] : "";
         $redirect = str_replace("?", "&", $redirect);

         $template->assign_vars(array(
REPLACE WITH
Code:
      else
      {
         $redirect = ( !empty($HTTP_POST_VARS['redirect']) ) ? htmlspecialchars($HTTP_POST_VARS['redirect']) : "";
         $redirect = str_replace("?", "&", $redirect);

         $template->assign_vars(array(
FIND
Code:
      if (!empty($HTTP_POST_VARS['redirect']) || !empty($HTTP_GET_VARS['redirect']))
      {
         $url = (!empty($HTTP_POST_VARS['redirect'])) ? $HTTP_POST_VARS['redirect'] : $HTTP_GET_VARS['redirect'];
         redirect(append_sid($url, true));
      }
      else
      {
         redirect(append_sid("index.$phpEx", true));
      }
   }
   else
   {
      $url = ( !empty($HTTP_POST_VARS['redirect']) ) ? $HTTP_POST_VARS['redirect'] : "index.$phpEx";
      redirect(append_sid($url, true));
   }
REPLACE WITH
Code:
      if (!empty($HTTP_POST_VARS['redirect']) || !empty($HTTP_GET_VARS['redirect']))
      {
         $url = (!empty($HTTP_POST_VARS['redirect'])) ? htmlspecialchars($HTTP_POST_VARS['redirect']) : htmlspecialchars($HTTP_GET_VARS['redirect']);
         redirect(append_sid($url, true));
      }
      else
      {
         redirect(append_sid("index.$phpEx", true));
      }
   }
   else
   {
      $url = ( !empty($HTTP_POST_VARS['redirect']) ) ? htmlspecialchars($HTTP_POST_VARS['redirect']) : "index.$phpEx";
      redirect(append_sid($url, true));
   }
memberlist.php
FIND
Code:
      $i++;
   }
   while ( $row = $db->sql_fetchrow($result) );
AFTER, ADD
Code:
   $db->sql_freeresult($result);
FIND
Code:
      $pagination = generate_pagination("memberlist.$phpEx?mode=$mode&amp;order=$sort_order", $total_members, $board_config['topics_per_page'], $start). '&nbsp;';
   }
AFTER, ADD
Code:
   $db->sql_freeresult($result);
modcp.php
FIND
Code:
   $mode = ( isset($HTTP_POST_VARS['mode']) ) ? $HTTP_POST_VARS['mode'] : $HTTP_GET_VARS['mode'];
AFTER, ADD
Code:
   $mode = htmlspecialchars($mode);
posting.php
FIND
Code:
      $$var = ( !empty($HTTP_POST_VARS[$param]) ) ? $HTTP_POST_VARS[$param] : $HTTP_GET_VARS[$param];
REPLACE WITH
Code:
      $$var = ( !empty($HTTP_POST_VARS[$param]) ) ? htmlspecialchars($HTTP_POST_VARS[$param]) : htmlspecialchars($HTTP_GET_VARS[$param]);
FIND
Code:
   $post_info = $db->sql_fetchrow($result);
AFTER, ADD
Code:
   $db->sql_freeresult($result);
FIND
Code:
               $poll_results_sum += $row['vote_result'];
            }
            while ( $row = $db->sql_fetchrow($result) );
         }
AFTER, ADD
Code:
         $db->sql_freeresult($result);
FIND
Code:
      $notify_user = ( $db->sql_fetchrow($result) ) ? TRUE : $userdata['user_notify'];
AFTER, ADD
Code:
      $db->sql_freeresult($result);
FIND
Code:
         if ( !($result = $db->sql_query($sql)) )
         {
            message_die(GENERAL_ERROR, 'Could not obtain user vote data for this topic', '', __LINE__, __FILE__, $sql);
         }

         if ( !($row = $db->sql_fetchrow($result)) )
REPLACE WITH
Code:
         if ( !($result2 = $db->sql_query($sql)) )
         {
            message_die(GENERAL_ERROR, 'Could not obtain user vote data for this topic', '', __LINE__, __FILE__, $sql);
         }

         if ( !($row = $db->sql_fetchrow($result2)) )
FIND
Code:
            $message = $lang['Already_voted'];
         }
      }
      else
      {
         $message = $lang['No_vote_option'];
      }
REPLACE WITH
Code:
            $message = $lang['Already_voted'];
         }
         $db->sql_freeresult($result2);
      }
      else
      {
         $message = $lang['No_vote_option'];
      }
      $db->sql_freeresult($result);
privmsg.php
FIND
Code:
   $folder = ( isset($HTTP_POST_VARS['folder']) ) ? $HTTP_POST_VARS['folder'] : $HTTP_GET_VARS['folder'];
AFTER, ADD
Code:
   $folder = htmlspecialchars($folder);
FIND AND DELETE
Code:
// session id check
if (!empty($HTTP_POST_VARS['sid']) || !empty($HTTP_GET_VARS['sid']))
{
   $sid = (!empty($HTTP_POST_VARS['sid'])) ? $HTTP_POST_VARS['sid'] : $HTTP_GET_VARS['sid'];
}
else
{
   $sid = '';
}
FIND
Code:
   $mode = ( !empty($HTTP_POST_VARS['mode']) ) ? $HTTP_POST_VARS['mode'] : $HTTP_GET_VARS['mode'];
AFTER, ADD
Code:
   $mode = htmlspecialchars($mode);
search.php
FIND
Code:
      if ( intval($search_id) )
REPLACE WITH
Code:
      $search_id = intval($search_id);
      if ( $search_id )
viewforum.php
FIND
Code:
   $topic_days = ( !empty($HTTP_POST_VARS['topicdays']) ) ? $HTTP_POST_VARS['topicdays'] : $HTTP_GET_VARS['topicdays'];
REPLACE WITH
Code:
   $topic_days = ( !empty($HTTP_POST_VARS['topicdays']) ) ? intval($HTTP_POST_VARS['topicdays']) : intval($HTTP_GET_VARS['topicdays']);
viewtopic.php
FIND
Code:
   $post_days = ( !empty($HTTP_POST_VARS['postdays']) ) ? $HTTP_POST_VARS['postdays'] : $HTTP_GET_VARS['postdays'];
REPLACE WITH
Code:
   $post_days = ( !empty($HTTP_POST_VARS['postdays']) ) ? intval($HTTP_POST_VARS['postdays']) : intval($HTTP_GET_VARS['postdays']);
FIND
Code:
   $post_order = (!empty($HTTP_POST_VARS['postorder'])) ? $HTTP_POST_VARS['postorder'] : $HTTP_GET_VARS['postorder'];
REPLACE WITH
Code:
   $post_order = (!empty($HTTP_POST_VARS['postorder'])) ? htmlspecialchars($HTTP_POST_VARS['postorder']) : htmlspecialchars($HTTP_GET_VARS['postorder']);
includes/auth.php:
FIND
Code:
               $u_access[$row['forum_id']][] = $row;
            }
         }
         while( $row = $db->sql_fetchrow($result) );
      }
AFTER, ADD
Code:
      $db->sql_freeresult($result);
includes/bbcode.php
FIND
Code:
   $bbcode_tpl['url4'] = str_replace('{DESCRIPTION}', '\\5', $bbcode_tpl['url4']);
REPLACE WITH
Code:
   $bbcode_tpl['url4'] = str_replace('{DESCRIPTION}', '\\3', $bbcode_tpl['url4']);
FIND
Code:
   $replacements[] = $bbcode_tpl['img'];

   // matches a [url]xxxx://www.phpbb.com[/url] code..
   $patterns[] = "#\[url\]([\w]+?://.*?[^ \"\n\r\t<]*?)\[/url\]#is";
   $replacements[] = $bbcode_tpl['url1'];

   // [url]www.phpbb.com[/url] code.. (no xxxx:// prefix).
   $patterns[] = "#\[url\]((www|ftp)\.([\w\-]+\.)*?[\w\-]+\.[a-z]{2,4}(:?[0-9]*?/[^ \"\n\r\t<]*)?)\[/url\]#is";
   $replacements[] = $bbcode_tpl['url2'];

   // [url=xxxx://www.phpbb.com]phpBB[/url] code..
   $patterns[] = "#\[url=([\w]+?://.*?[^ \"\n\r\t<]*?)\](.*?)\[/url\]#is";
   $replacements[] = $bbcode_tpl['url3'];

   // [url=www.phpbb.com]phpBB[/url] code.. (no xxxx:// prefix).
   $patterns[] = "#\[url=((www|ftp)\.([\w\-]+\.)*?[\w\-]+\.[a-z]{2,4}(:?[0-9]*?/[^ \"\n\r\t<]*)?)\](.*?)\[/url\]#is";
   $replacements[] = $bbcode_tpl['url4'];
REPLACE WITH
Code:
   $replacements[] = $bbcode_tpl['img'];

   // matches a [url]xxxx://www.phpbb.com[/url] code..
   $patterns[] = "#\[url\]([\w]+?://[^ \"\n\r\t<]*?)\[/url\]#is";
   $replacements[] = $bbcode_tpl['url1'];

   // [url]www.phpbb.com[/url] code.. (no xxxx:// prefix).
   $patterns[] = "#\[url\]((www|ftp)\.[^ \"\n\r\t<]*?)\[/url\]#is";
   $replacements[] = $bbcode_tpl['url2'];

   // [url=xxxx://www.phpbb.com]phpBB[/url] code..
   $patterns[] = "#\[url=([\w]+?://[^ \"\n\r\t<]*?)\](.*?)\[/url\]#is";
   $replacements[] = $bbcode_tpl['url3'];

   // [url=www.phpbb.com]phpBB[/url] code.. (no xxxx:// prefix).
   $patterns[] = "#\[url=((www|ftp)\.[^ \"\n\r\t<]*?)\](.*?)\[/url\]#is";
   $replacements[] = $bbcode_tpl['url4'];
FIND
Code:
   // matches an "xxxx://yyyy" URL at the start of a line, or after a space.
   // xxxx can only be alpha characters.
   // yyyy is anything up to the first space, newline, comma, double quote or <
   $ret = preg_replace("#(^|[\n ])([\w]+?://.*?[^ \"\n\r\t<]*)#is", "\\1<a href=\"\\2\" target=\"_blank\">\\2</a>", $ret);

   // matches a "www|ftp.xxxx.yyyy[/zzzz]" kinda lazy URL thing
   // Must contain at least 2 dots. xxxx contains either alphanum, or "-"
   // zzzz is optional.. will contain everything up to the first space, newline,
   // comma, double quote or <.
   $ret = preg_replace("#(^|[\n ])((www|ftp)\.[\w\-]+\.[\w\-.\~]+(?:/[^ \"\t\n\r<]*)?)#is", "\\1<a href=\"http://\\2\" target=\"_blank\">\\2</a>", $ret);
REPLACE WITH
Code:
   // matches an "xxxx://yyyy" URL at the start of a line, or after a space.
   // xxxx can only be alpha characters.
   // yyyy is anything up to the first space, newline, comma, double quote or <
   $ret = preg_replace("#(^|[\n ])([\w]+?://[^ \"\n\r\t<]*)#is", "\\1<a href=\"\\2\" target=\"_blank\">\\2</a>", $ret);

   // matches a "www|ftp.xxxx.yyyy[/zzzz]" kinda lazy URL thing
   // Must contain at least 2 dots. xxxx contains either alphanum, or "-"
   // zzzz is optional.. will contain everything up to the first space, newline,
   // comma, double quote or <.
   $ret = preg_replace("#(^|[\n ])((www|ftp)\.[^ \"\t\n\r<]*)#is", "\\1<a href=\"http://\\2\" target=\"_blank\">\\2</a>", $ret);
includes/functions_post.php
FIND
Code:
                  $tagallowed = (preg_match('#^<\/?' . $match_tag . ' .*?(style[\t ]*?=|on[\w]+[\t ]*?=)#i', $hold_string)) ? false : true;
REPLACE WITH
Code:
                  $tagallowed = (preg_match('#^<\/?' . $match_tag . ' .*?(style[ ]*?=|on[\w]+[ ]*?=)#i', $hold_string)) ? false : true;
FIND
Code:
      if (!$end_html || ($end_html != strlen($message) && $tmp_message != ''))
REPLACE WITH
Code:
      if ($end_html != strlen($message) && $tmp_message != '')
includes/functions_search.php
FIND
Code:
      if ( $match_sql != '' )
      {
         $sql = "INSERT IGNORE INTO " . SEARCH_MATCH_TABLE . " (post_id, word_id, title_match)
            SELECT $post_id, word_id, $title_match 
               FROM " . SEARCH_WORD_TABLE . "
               WHERE word_text IN ($match_sql)";
REPLACE WITH
Code:
      if ( $match_sql != '' )
      {
         $sql = "INSERT INTO " . SEARCH_MATCH_TABLE . " (post_id, word_id, title_match)
            SELECT $post_id, word_id, $title_match 
               FROM " . SEARCH_WORD_TABLE . "
               WHERE word_text IN ($match_sql)";
includes/topic_review.php
FIND
Code:
      if ( !($forum_row = $db->sql_fetchrow($result)) )
      {
         message_die(GENERAL_MESSAGE, 'Topic_post_not_exist');
      }
AFTER, ADD
Code:
      $db->sql_freeresult($result);
FIND
Code:
   else
   {
      message_die(GENERAL_MESSAGE, 'Topic_post_not_exist', '', __LINE__, __FILE__, $sql);
   }
AFTER, ADD
Code:
   $db->sql_freeresult($result);
includes/usercp_register.php
FIND
Code:
   $avatar_category = ( !empty($HTTP_POST_VARS['avatarcategory']) ) ? $HTTP_POST_VARS['avatarcategory'] : '';
REPLACE WITH
Code:
   $avatar_category = ( !empty($HTTP_POST_VARS['avatarcategory']) ) ? htmlspecialchars($HTTP_POST_VARS['avatarcategory']) : '';
templates/subSilver/index_body.tpl
FIND
Code:
<table cellspacing="3" border="0" align="center" cellpadding="0">
  <tr>
   <td width="20" align="center"><img src="templates/subSilver/images/folder_new.gif" alt="{L_NEW_POSTS}"/></td>
   <td><span class="gensmall">{L_NEW_POSTS}</span></td>
   <td>&nbsp;&nbsp;</td>
   <td width="20" align="center"><img src="templates/subSilver/images/folder.gif" alt="{L_NO_NEW_POSTS}" /></td>
   <td><span class="gensmall">{L_NO_NEW_POSTS}</span></td>
   <td>&nbsp;&nbsp;</td>
   <td width="20" align="center"><img src="templates/subSilver/images/folder_lock.gif" alt="{L_FORUM_LOCKED}" /></td>
   <td><span class="gensmall">{L_FORUM_LOCKED}</span></td>
  </tr>
</table>
REPLACE WITH
Code:
<table cellspacing="3" border="0" align="center" cellpadding="0">
  <tr>
   <td width="20" align="center"><img src="templates/subSilver/images/folder_new_big.gif" alt="{L_NEW_POSTS}"/></td>
   <td><span class="gensmall">{L_NEW_POSTS}</span></td>
   <td>&nbsp;&nbsp;</td>
   <td width="20" align="center"><img src="templates/subSilver/images/folder_big.gif" alt="{L_NO_NEW_POSTS}" /></td>
   <td><span class="gensmall">{L_NO_NEW_POSTS}</span></td>
   <td>&nbsp;&nbsp;</td>
   <td width="20" align="center"><img src="templates/subSilver/images/folder_locked_big.gif" alt="{L_FORUM_LOCKED}" /></td>
   <td><span class="gensmall">{L_FORUM_LOCKED}</span></td>
  </tr>
</table>
Code from phpBB 2.0.6 and 2.0.7 is copyright by the phpBB Group. Find these and other code changes at phpBBHacks.com and phpBB Smith.
Compiled by your friendly neighborhood Thoul from the phpBB 2.0.6 - 2.0.7 patch file.