Author: Richard Williamson (aka Old Guy)
Website - Support Forums
Email: Link on Website

version 2.3.16 July 2010

Fixed security vulnerabilities in comments-edit-prep.php and comments-validate.php.

version 2.3.15

Fixed a bug in admin/index.php that caused backup to not work.

version 2.3.14

Files changed: comments-add.php, spamwords.php, includes/init-comments.php

version 2.3.13

Files changed: comments-validate.php, comments-add.php

version 2.3.12

Fixed IP address test Files changed: includes/init.php, version.php

version 2.3.11

Fixed bug that preventing confirm subscription email from being sent if comment is moderated.
Files changed: comments-add.php, comments-validate.php, release-notes.html, version.php, includes/functions.php

version 2.3.10

  1. Reduced the possiblity of error DB query error, open_db() - trying to connect to the server occuring when the server is heavily loaded.
  2. Fixed a bug in the javascript that prevented some basic error checks, performed before submitting the comment, from working.

version 2.3.9

  1. The HTML sanitizing routine was not catching <script> tags, creating a hacking vulnerability. Modified validate-comments.php to catch the tags. If you are on a recent release and don’t want to do a full upgrade, then simply upload validate-comments.php.

version 2.3.8

  1. Added author as a search field.

version 2.3.7

  1. Some hacking/spam attempts overwrote the language name input field causing an invalid language error email. Eliminated the email because there is nothing to do about it. The invalid comment is just dropped.

version 2.3.6

  1. html tag checking routine wasn’t catching unclosed tags.
  2. Fixed problems with subscriptions. Also, using javascript to validate required comment form fields has been removed because it was preventing subscribing withot entering a comment from working. That validation will now be done only by the scripts.
  3. Because of some servers not properly creating the DOCUMENT_ROOT variable, changed how install.php and init.php determines the document root directory and added a document root variable to config.php. That variable is not needed for existing installations, it only applies for new installations.
  4. Fixed a problem affecting deleting comments.
  5. -- removed subject, location, email, author fields from $http_ok array in init-comments.php
  6. -- Insert "Re: " and original comment subject into replies.
  7. -- fixed local file inclusion vulnerability in install/help.php.
  8. -- replace ' " & in email, author, website, subject with html entities before adding comment to the db.
  9. -- removed pagination (which wasn't working) from admin select page panel.

version 2.3.5 Jul 03, 2008

Fixed error in admin/index.php that caused the database backup to not work.

version 2.3.4 Jun 26, 2008

Fixed error in admin/admin-banned-tpl.php link.

version 2.3.3 Jun 25, 2008

Fixed error in language files $lang['anti_flood_msg'] entry.

version 2.3.2 Jun 24, 2008

Fixed cosmetic error in admin/admin-nav-tpl.php.

version 2.3.1 Jun 23, 2008

Fixed error in admin/index.php approve spam.

version 2.3.0beta5 and 2.3.0 May 22, 2008

  1. More security fixes.
  2. Incorporated search-results-tpl.code into search-results.php and deleted search-results-tpl.php.

version 2.3.0beta3 April 2008

  1. New feature: display poster’s Gravatar.
  2. Security changes.

version 2.3.0beta2 March 2008

  1. New feature: captcha.
  2. New feature: search comments.
  3. Modified the default templates (comments-display-tpl.php and comments-form-tpl-php) and associated styles in style.css.
  4. Added configuration option for spam words filtering. Default is no filtering. Expanded spam words filtering to optionally check the email, author name and/or subject fields. Existing users must rename your current spamwords.php file to my-spamwords.php.
  5. Added configuration setting: show comments legend as number of comments or as number of pages.
  6. Added alternate styles templates and css (in addons directory). These styles can be seen at
  7. Fixed bug: website field was not being filled with “http://”
  8. Modified error routines to provide more information for troubleshooting.
  9. Modified the comments form subscribe line (allow visitor to uncheck after checking).
  10. Made previous/next arrows smaller & changed style.css to use them. Applies to new installs. If you’re upgrading and want to use the smaller arrows, you have to change the URL’s in styleCustom.css.
  11. While making a lot of style changes for a user, I discovered that using styleCustom.css for style overrides is too cumbersome and prone to error when making many changes. So, for new installs, I removed styleCustom.css. Instead, users copy style.css to my-styles.css and make style changes in it. Current users who are upgrading will not be affected. You may continue to use styleCustom.css for your css changes.

version January - March 2008

Fixed remote file exploit vulnerability. This is a mandatory upgrade. If not done, your website is open to hacker attacks unless register_globals is turned off (see paragraph 1, doc/install.html).

version 2.2.7 October 2007

Changed connection from HTTP/1.1 to HTTP/1.0 in the includes/classAkismet.php script.

version 2.2.6 October 2007

Fixed bug in comments-add.php ("Email replies to my comment only" was not working).

version 2.2.5 September 2007

Fixed bug in admin/index.php (unapproved list delete all command wasn't working).

version 2.2.4 September 2007

  1. Changed comments-validate-functions.php to insert emoticon links after the check for allowed HTML tags is performed. Now the "img" tag is not required for emoticons to be used.
  2. Changed comments-add.php to do the spamwords check on author name in addition to the comment text.
  3. Changed /admin/index.php so that replies that are flagged as spam become replies instead of original comments when they are approved.
  4. Fixed bugs (to update article count when a comment is approved; to not update when comment is in moderation status) files affected: admin/index, comments-add.php.

version 2.2.3 September 2007

Added a spamwords filter (read instructions in spamwords.php).

version 2.2.2 August 2007

  1. Fixed error in includes/functions.php that caused confirm subscription notice to be sent using the default language instead of the poster's selected language.
  2. Fixed error in includes/functions.php that occurs when sending email when safe_mode is on.
  3. Added Delete All link to admin unapproved comments list. Files affected: admin/index.php, admin/comments-unapproved-tpl.php, language/english.php and dutch.php

version 2.2b6 - 2.2.1 May-August 2007

Bug fixes.

version 2.2b5 (5th beta release) April 2007

  1. Added "Logout" to the admin menu bar.
  2. TalkBack now works on websites that have a ? in the URL, for example: It will also work with “article oriented” websites such as blogs and some pages on Content Management Systems. An “articles” table has been added for this.
  3. To make it easier to fit the comment preview panel into your layout, a comment-preview-tpl.php template was created. You will have to edit the preview panel setting in the configuration panel to point to comment-preview-tpl.php.
  4. More improvements to the user guide.

version 2.2b4 (4th beta release) April 2007

  1. Added more quick tag buttons including < and > which allows author to insert left and right brackets into the comment text.
  2. Changed the format of the allowed tags configuration setting. Quick tag buttons will be displayed in the order of the entries in this field. You can allow a tag but not show a quick tag button for it by placing a - (minus) after it. dpupdate.php will make the changes for you. Example of new format:
    These are all of the tags supported by the quick tags routine. You can allow other tags but cannot show tags for them.

    Created file /includes/allowable-tags-inc.php that defines the tags that may be included in the configuration allowed tags field. If it’s not in this list the the tag cannot be allowed.

  3. Added “lightbox” capability for displaying images in comments. If enabled (a configuration setting) and if img tags are allowed, the img quick tag button will insert a link into the comment instead of an img tag. Clicking the link causes the image to be opened in a lightbox— a small window overlaid on the page. This prevents large images from breaking your page layout. See the user guide > About lightbox for more information.
  4. Added a help link to each configuration setting in the admin configuration panel.
  5. Replaced the single help link on the comment form with individual help links.
  6. Added addtional options to the author website configuration setting to style the author field in the comment header when the author has entered a website URL. You can choose to display one of two images for the website link, create a text link or no link.
  7. Rewrote the emoticon functions to use a text input file for defining emoticons and their associated codes. You can now add and delete emoticons, change the order in which they appear on the comment form, change their associated codes and the emoticon link title by editing the text file. images/smilies contains the text file: Instructions for adding/deleting emoticons and reordering the comments form emoticon line are in that file.
  8. Simplified the method for including TalkBack stylesheet and javascript links in the head section of your pages. See the user guide > How to add comments to your pages. It is also explained in the user guide > Upgrading from an earlier release of version 2.
  9. Replaced the HTML sanitizing code with a routine that gives better protection agains cross site scrpting attacks.
  10. Replaced the comment text formatting code with a better routine.

version 2.2b3 (3rd beta release) March 2007

  1. Made a number of revisions and improvements to the user guide. Moved the tips into the user guide. Deleted the tips directory. Added an "addons" directory for current and future extensions to TalkBack (see "Addons" section in user guide). Addons are scripts, images or other goodies that are not part of the base TalkBack package but may be useful to some users.
  2. Removed the non-functioning help link from the install template.
  3. There is no reason to upgrade if you are using version 2.2b2

version 2.2 beta 1-2 (1st and 2nd beta releases) March 2007

  1. Substantial changes for new features have been made to the CSS and templates. The changes cannot easily be incorporated into any existing customized templates you may have. The safest way to upgrade is to redo you customizations using the default templates in this release. See the user guide for more information.
  2. Added new fields to comments:
    • Author location field
    • Comment subject field
  3. Added new configuration settings:
    • "Bad words filter" to enable/disable bad words filtering.
    • "Subscribe to comments" to enable/disable vistors subscribing to followup comments.
    • "Comment replies" to enable/disable replies to comments.
    • "Author location" to show or not show the location field on the comment form and in comments.
    • "Author website" to show or not show the website field on the comment form and in comments.
    • "Comment subject" to show or not show the subject field on the comment form and in comments.
    • "Path to backup files directory" this must be set before using the revised database backup script (more information below).
    • "Discard spam" more information below.
    • "Comments driver script" allows you to change the name of the primary comments script (comments.php) which may or may not reduce spam.
  4. Added a "Spam" link to the comments footer. It will delete the comment and notify Akismet. (saves a trip to the admin panel if you are viewing the comments page and want to delete a spam comment). Admin cookie must be set to see the link.
  5. Added first page and last page links to the next/prior link line. Added first and last link icon images to the images directory. .tb-first and .tb-last styles were added to style.css and styleCustom.css
  6. Comment reply form: added radio buttons above comment form submit button that allows administrator to also send the reply via email. Admin cookie must be set to see them.
  7. Added multi language support. You can specify different languages for different pages and visitors can choose between multiple languages. These features are available if you have multiple language files in the language directory.
  8. Added comment purge to the admin maintenance menu panel allowing you to purge comments older than n days.
  9. Added a third option to “Suppress admin notices” configuration settings for those who don't want to receive new coment notices ever. See admin help panel > Administrator settings > admin_notices for more information.
  10. Added “Discard spam” configuration setting to discard spam comments instead of putting them in the database. With hundreds of spam comments a day, it becomes difficult if not impossible to diligently review them for false positives. With this option enabled, when Akismet flags a comment it is discarded and a message is displayed just in case the comment is from a real person and not a spambot. See the admin help panel > Spam and moderation settings > discard_spam for more information.
  11. Added user agent string to each comment in the database. Changed "Is Ham" and "Is Spam" to send it to akismet. Not doing this originally was an oversight. See the admin help panel > comment settings > user_agent_days for more information.
  12. Changed the email notices formats from HTML to plain text. Some mail servers were not processing the HTML emails properly. This may have been due to errors on my part in formatting the emails but, since I could not reproduce the problem on my test site, tracking down the condition was next to impossible. The most reliable solution was to change to plain text emails.
  13. Replaced the custom coded database backup routine with the standard mysqldump command. This uses a temporary files directory on your server. Before doing your next backup you must insert the path to that directory in the configuration settings “Path to backup files directory” field. Create the directory (preferably above your web root) if you don’t already have a suitable directory.

    Deleted the database restore. Instead you should use phpMyAdmin to restore a backup file. Note that any existing backup files you have are compatible with phpMyAdmin import.

    These prior version files are no longer needed, you may delete them from your server: includes/db-backup.php, includes/db-restore.php

  14. Reduced spam clutter:
    • Bounced (undeliverable) subscription confirmation emails will no longer be returned to you. They are discarded. You will continue to get bounces for all other emails.
    • There are some conditions under which the script will abort without any error message to the page. If a real person (as opposed to a spambot) was entering the comment, he/she would see a blank page. Unless there is a script bug, these conditions can only occur from a poorly written spambot attempting to insert a comment.

      I don’t want to explain the conditions here because some spambot authors might actually read script documentation and I feel no compulsion to help them debug their scripts. Let them dig through the script source coude.

  15. Bug fixes:
    • Corrected error that could cause the author to receive an email as if he was a subscriber if his comment goes to the spam or moderation queue and is then approved.
    • Changed style #tb-panel-link to .tb-panel-link to eliminate validation errors.
    • Corrected error that occured when sending email if php safe_mode is on.
    • Corrected error when approving a spam comment. After approval the comment would be shown as a reply even though it is not a reply.

version 2.1.1 December 2006

  1. Fixed error in capability for user to change the format of the comment author's name and website field in the comment header.
  2. Fixed error that caused corrected (local) time to be incorrectly displayed in admin config maintenance panel.
  3. Fixed error that caused emoticons to be inserted in comment when the emoticon config option is off and visitor types emoticon code in the comment.

version 2.1 November 2006

Added non-English language support for displaying dates.

version 2.0.2 November 2006

Added rolling eyes emoticon. Moved english text labels for emoticons and quick tag buttons from the php scripts to the language file so that they can be translated without editing scripts.

version 2.0.1 October 2006

Fixed a bug that caused some quick tag buttons to be displayed when the tag is not allowed.

version 2.0 (final) October 2006

I am finished adding features so no more beta releases. This is the offical release of version 2.0