10 : 43 PM EST

bbsengine - simple yet elegant open source (LGPL) application framework was started on 2002-aug-01 and was started on 2008-nov-11 with the goal of providing a simple but elegant php-based web application library for developers using, at the time, php4. bbsengine1 had some security problems bbsengine1security) which were fixed in bbsengine2. bbsengine4 is written in php5.4 (requires 5.4.x or above) and uses PostgreSQL (9.2.x or above), the Smarty3 template engine (3.1.30+), and several modules from PEAR including pager, html_quickform2, html_quickform2_captcha and mdb2.

In June 2011 use of html_page2 (requires 0.6.5-beta or above) was added and an upgrade to Smarty3 from smarty2 was performed.

To make effective use of bbsengine4 you will need to be a developer comfortable with the use of PEAR packages, Smarty3 Templates, and have hosting with PostgreSQL available. bbsengine4 has not been tested on servers using web-based control panels for system administration. it can be done.

the current version, bbsengine4, eliminates use of PEAR::HTML_Page2, makes use of "template inheritance" in smarty3, and requires php 5.4.16+ due to use of "shorthand array syntax".

news: docs updated, new release made which include source, new form handling (2015-nov-03)

based on suggestions from a user, I've merged the project 'bbsenginedotorg' (this website) with 'bbsengine4' to serve as a basic example of how to get a site working using this framework.

I've radically updated the INSTALL file so the version numbers of various packages are accurate, to make descriptions more concise, and to offer some useful hints as to how to configure things so they will work well.

form handling has been simplified down to three function calls which allows for very straight-forward use of enhanced forms:

  • handleform - accept an html_quickform2 instance and a standard callback parameter. returns True if all went well (form validates) or PEAR::Error if things went wrong.
  • getquickform() - updated to add recursive rules which call trim() and striptags() instead of putting two function calls into every use of quickform.
  • displayform - accepts an html_quickform2_renderer instance. this function is normally called if handleform() returns something other than True or PEAR::Error.

The bbsengine handbook now uses MarkDown for human-readable markup.

There is now a 'composer.json' file shipped with bbsengine4, but it has not been tested beyond a simple lint to make sure it does not contain syntax errors. I am interested in tools that will take a list of package names (f.e. the output of 'pear list') and set up the required records automagically including state ('beta', 'stable', etc).


selected changes from bbsengine1 to bbsengine2

  • rewrite to use MDB2 instead of DB
  • rewrite database access to use bound parameters (closing one CVE)
  • hack wpprop to circumvent 2 CVEs

selected changes from bbsengine2 to bbsengine3

  • use of schemas. one database per domain. FKs maintained.
  • python package
  • html_quickform2

python package (bbsengine3+)

I've been using the python package of bbsengine to implement various tools and scripts to help run my business. projectflow works with taskflow and invoiceflow to generate invoices in PDF format.

selected changes from bbsengine1 to bbsengine2

  • renamed a few of the core functions so it is clearer what they do (for example, "errormessage()" has been renamed to "displayerrorpage()", "displayheader()" renamed to "displaypageheader()")
  • displayheader() and displayfooter() have now been replaced with use of HTML_Page2 and fetchpageheader() and fetchpagefooter()
  • added some API functions that were not available in bbsengine1 (examples: getquickform(), getpage(), fetchpageheader() and fetchpagefooter())
  • spun off applications (aolbonics, demeter, sophia, teos, vulcan) into separate projects
  • changed to use the MDB2 database abstraction layer instead of DB
  • used rules in html_quickform for cleaner handling of input validation
  • database queries make use of "bound parameters" to prevent sql injection attacks
  • added fetchpageheader() and fetchpagefooter() and modified displaypageheader() and displaypagefooter() to use them. This change is part of using HTML_Page2 for generating pages
  • made heavy use of PEAR::raiseError() to improve error handling and to display an error message to the user which the developer can easily grep for and address. All library functions use raiseError and do not output any error messages to the user.
  • made use of foreign key constraints in the postgresql database.

some sites built with bbsengine3

  • Demeter is a "feed harvester" similar to google's "feed reader". This can easily be customized to have feeds relevant to a specific interest group, for example the military community. This needs to be rewritten to use bbsengine4 and licensing issues need to be sorted.
  • Sophia is a threaded discussion system which could be configured as a "blog" (which means a select group of people can start new threads) or "forum" (which means anyone can start a new thread)
  • Teos is a "catalog view" into the content, similar to or
  • Vulcan is a view of only the "links" part of the content database
  • Repo is a software repository where you can find various open source packages that Zoid Technologies maintains
  • Projects is a list of available projects crosslinked into the repo site for file downloads

security issues in bbsengine1 (2006)

in 2006 (10+ years ago), there were security advisories issued for bbsengine.

  • CVE-2006-3306 - Improperly sanitized input.
    I fixed this by removing preparestring() from the library entirely and started using the 'escape' Smarty modifier
  • CVE-2006-3307 - SQL Injection.
    I fixed this by using 'bound parameters' in database calls via the MDB2 library
  • CVE-2006-3308 - Problem with 'img' tag of the 'wpprop' custom Smarty modifier.
    I hacked this by adding a call to htmlentities() on all user-supplied input to the wpprop function.