The steps to install and configure PHP-Nuke are simple:
- Download and extract the PHP-Nuke files.
- Download and apply ChatServ’s patches.
- Create the database for PHP-Nuke.
- Create a database user, and fill the database with data.
- Make some simple changes to the PHP-Nuke configuration file.
- Copy the PHP-Nuke files to the document root of the web server.
- Test it out!
Let’s get started.
The latest version of PHP-Nuke can be downloaded at phpnuke.org downloads page:
You can also obtain older versions of PHP-Nuke, including version 1.0, from SourceForge:
SourceForge is the world’s largest home of open-source projects. Many projects use SourceForge’s facilities to host and maintain their projects. You can find almost anything you want on SourceForge—whether it is in a usable state or has been updated recently is another matter.
Once you have downloaded PHP-Nuke, you should extract the contents of the PHP-Nuke ZIP archive to the root of your c: drive. You will have to create a folder called PHP-Nuke-7.8 in the root of your c: drive. (If you extract the files elsewhere, create the folder PHP-Nuke-7.8 and copy the contents of the main unzipped folder to this new folder).
If you don’t have a tool for extracting the files, you can download an evaluation edition (or buy a full edition) of WinZip from www.winzip.com.
There are also free, powerful, extracting tools such as ZipGenius (http://www.zipgenius.it/index_eng.htm) and 7-Zip (http://sourceforge.net/projects/sevenzip/) among others.
In the PHP-Nuke-7.8 folder, you will find three subfolders called html, sql, and upgrades. The upgrades folder contains scripts that handle upgrading the database between different versions, the sql folder contains the definition of the PHP-Nuke database that we will be working with, and the html folder contains the guts of your PHP-Nuke installation.
The html folder contains all the PHP scripts, HTML files, images, CSS stylesheets, and so on that drive PHP-Nuke. Within the html folder are further subfolders; some of these include:
- modules: Contains the modules that make up your PHP-Nuke site. Modules are the essence of PHP-Nuke’s operation; we look at them from article Your First Page onwards.
- blocks: Contains PHP-Nuke’s blocks. Blocks are ‘mini-functionality’ units and usually provide snippet views of modules. We will look at blocks in article Managing the Site.
- language: Contains PHP-Nuke language files. These allow the language of PHP-Nuke’s interface to be changed.
- images: Contains images used in the display of the PHP-Nuke site.
- themes: Contains the themes for PHP-Nuke. The use of themes allows you to completely change the look of a PHP-Nuke site with a click of a button.
- includes, db: Contain code to support the running of PHP-Nuke. The db folder, for example, contains database access code.
- admin: Contains code to power the administration area of your site.
Downloading the Patches
No software is without its flaws, and PHP-Nuke is no exception. After a release, the large user community invariably finds problems and potential security holes. Furthermore, PHP-Nuke also contains features such as its forum, which is in fact the phpBB application specially modified to work with PHP-Nuke. phpBB itself is updated on a regular basis to correct critical security vulnerabilities or to fix other problems, and consequently the corresponding part of PHP-Nuke also needs to be updated. Rather than releasing a new version of PHP-Nuke for these situations, patches for its various parts are released.
ChatServ’s patches from www.nukeresources.com are mostly concerned with variable validation, in other words, making sure that the variables used in the application are of the right type for storing in the database. This has been an area of weakness with many earlier versions of PHP-Nuke. The patches are often incorporated into subsequent versions of PHP-Nuke so that each new version becomes more robust.
Note that you don’t have to apply the patches, and PHP-Nuke will still work without them. However, by applying them you will have taken a good step towards improving the security of your site.
If you navigate to http://www.nukeresources.com, there is a handy menu on the front page to access the patches:
To obtain the patch corresponding to your version, click the link and you will be taken to the relevant file (of course, www.nukeresources is a PHP-Nuke powered site!). Click on the Nuke 7.8 link to go to the Downloads page of www.nukeresources.com. On this page, clicking the Download this file Now! link will download the patches for PHP-Nuke 7.8. The name of this file will be of the form 78patched.tar.gz. This is a GZIP compressed file that contains all the patches that we are about to apply. The GZIP file can be extracted with WinZip, or any of the other utilities we discussed earlier.
The patches are simply modified versions of the original PHP-Nuke files. The original files have been modified to address various security issues that may have been identified since the initial release, or maybe since the last version of the patch.
Applying the Patches
To apply the patches, first we need to extract the 78patched.tar.gz file. We will extract the files into a folder called patches that we will create in the PHP-Nuke-7.8 folder.
After extracting the files, copy the contents of the patches folder to your html folder. Do not copy the patches folder, copy its contents. The patches folder contains files that replace the files in the default installation, and you get a Confirm File Replace window. Select Yes for all the files, and when the copying is complete, your installation is ready to go.
We have performed this patching immediately after installing PHP-Nuke, but we could have done this at any time. Doing it at this point is more sensible as it means that we are working on the most secure version of PHP-Nuke. Also, the patch process we have described here overwrites existing PHP-Nuke installation files. If you have modified these files, then the changes will be lost on applying the patch. Thus applying the patches later without disturbing any of your changes becomes more demanding.
There is one further thing to watch for after applying the patches. You may find that the patched files have had their permissions set to read-only, and that you are unable to modify the files. To modify the files (and we do have to modify at least the config. php file in this article) you will need to remove this setting. You can do this on Windows by right-clicking on the file, selecting Properties from the menu, unchecking the Read-only setting, and clicking the OK button:
We’ve done almost all the work with the files that we need to; now we turn our attention to creating and populating PHP-Nuke’s database.
Preparing the PHP-Nuke Database
We’ll be using the phpMyAdmin tool to do our database work. phpMyAdmin is part of the XAMPP installation (detailed in Appendix A), or can be downloaded from www.phpmyadmin.net, if you don’t already have it. phpMyAdmin provides a powerful web interface for working with your MySQL databases.
First of all, open your browser and navigate to http://localhost/phpmyadmin/, or whatever the location of your phpMyAdmin installation is:
Creating the Database
We need to create an empty database for PHP-Nuke to hold all the data about our site. To do this, we simply enter a name for our database into the Create new database textbox:
We will call our database nuke. Enter this, and click the Create button. The name you give doesn’t particularly matter, as long as it is not the name of some already existing database. If you try to use the same name as an already existing database, phpMyAdmin will inform you of this, and no action will be taken. The exact name isn’t particularly important at this point because there is another configuration step coming up, which requires us to tell PHP-Nuke the name of the database we’ve created for it.
After clicking Create, the screen will reload and you will be notified of the successful creation of your database:
Creating a Database User
Before we start populating the database, we will create a database user that can access only the PHP-Nuke database. This user is not a human, but will be used by PHP-Nuke to connect to the database while it performs its data-handling activities. The advantage of creating a database user is that it adds an extra level of security to our installation. PHP-Nuke will be able to work with data only in this database of the MySQL server, and no other. Also, PHP-Nuke will be restricted in the operations it can perform on the tables in the database.
We will need to create a username for this boxed-in user to access the nuke database. Let’s call our user nuker and go with the password nukepassword. However, in order to add an extra level of security we will introduce some digits into nukepassword, and some other slight twists, to strengthen it, and so use the word No0kPassv0rd as our database user password.
To create the database user, click the SQL tab, and enter the following into the Run SQL query/queries on database textbox:
GRANT ALL PRIVILEGES ON nuke.* TO [email protected]
IDENTIFIED BY 'No0kPassv0rd'
WITH GRANT OPTION
Your screen should look like this:
Click the Go button, and the database user will be created:
Populating the Database
Now we are ready to fill our database with data for PHP-Nuke. This doesn’t mean we start typing the data in ourselves; the data comes with the PHP-Nuke installation. This data is found in a file called nuke.sql in the sql folder of the PHP-Nuke installation. This file contains a number of SQL statements that define the tables within the database and also fill them with ‘raw’ data for the site.
However, before we fill the database with the tables from this file, we need to make a modification to this file.
By default, the name of each database table in PHP-Nuke begins with nuke_. For example, there is a table with the name nuke_stories that holds information about stories, and a table called nuke_topics that holds information about story topics. These are just two of the tables; there are more than 90 in the standard installation. The word nuke_ is a ‘table prefix’, and is used to ensure that there are no clashes between the names of PHP-Nuke’s tables and tables from another application in the same database, since the rest of the table name is descriptive of the data stored in the table, and other applications may have similarly named tables.
What this does mean is that unless this table prefix is changed, the table names in your PHP-Nuke database will be known to anyone attempting to hack your site. Many of the typical attacks used to damage PHP-Nuke are based around the fact that the names of the tables in the database powering a PHP-Nuke site are known. By changing the table prefix to something less obvious, you have taken another step to making your site more secure.