Design and Construction
I am thinking of making a Message Board and i'd just like to hear everyone's views on it. For instance, what are your experiences, which language would you use and why, some do's and dont's, what to look out for, some good methods to use, what could possibly be the best way to go about it, security issues etc...
I'm assuming you're talking about coding a message board from scratch. If that's not what you're talking about, disregard this post.
They can be written in any language. I'd bet a lot of people would recommend PHP. In the past I've used the somewhat obscure Mivascript, which got the job done. More recently I've used Java. You have to determine how you are going to thread messages and how you are going to store them. I don't recommend using the file system. You want to use some sort of relational database like MySQL. The combo of PHP and MySQL has become a classic pairing, however I prefer the PostgreSQL database and that's what I use in combination with Java.
In your database you want to create a table listing the boards/forums. Then you want to create a table for storing individual posts. If you want threads to have a hierarchy, you need to store a parent id for each post. Top-most posts will have a null parent id or some predefined constant value, such as -1. Another field in your post table will be the board id of the board the post belongs to. If your threads are flat like webmasterworld, you could order them for display based on a unique, incrementing id. Of course you'd want to store date/time, user name, title, and other information.
That's as simple as it gets. If you want user registration, you're talking about creating more tables to store user accounts, with flags for activating/deactivating them or listing their "status level" (if you want such a system) or total number of posts, etc. If you want premium boards, you'd have another flag on each account that you can flip on and off from some admin screen to allow or disallow users from accessing certain boards.
I feel like I'm rambling here, so if you have more specific questions I'll try to answer them. I've designed and built some rather advanced online community stuff so I can probably give you more specific pointers.
Thankyou FourDegreez for answering my post and also for your offer.
Yes, you are correct. I am concidering constructing an entire message board from scratch. Since I have no experience in the area, I thought it wise to seek advice from others who have themselves undertaken the task.
I am afraid I do not know Java. I currently have ASP, PHP, Perl and MySQL at my disposal, although it would not be too much trouble to add more but im afraid I am stuck with the MySQL.
I know that for a task of this size, As you have pointed out, I must plan what features and structure I want in advance. I must also make conciderations in my code so as to allow new features to be added as easily as possible.
It would probably be best if I start off small and make only a very simple message board at first with limited features. I should probably also use a language which I am both familiar and comfortable with. Would ASP/VBScript with MySQL suit this task or should I use PHP which I am currently learning?
I can theorise on some of the features I might include in my Message Board if I brain storm a bit such as:
There are undoubtably a lot more to concider although I will only require a few of these for my simple Message Board which I have indicated with an asterix. Can you think of any other simple features which I might need to concider for my simple Message Board asside from the ones you have already mentioned:
Of course you'd want to store date/time, user name, title, and other information
and the ones which I have listed above?
I like your idea of storing the boards forums seperately from the posts and giving the posts order and forum keys. Should I not also create another table for categories? Also, what would be the best way of storing the date/time, username, title etc?
Hmmm, I'll take the opposite approach. With powerful free (e.g., phpBB) and inexpensive (e.g., vBulletin) software, I don't think the ROI of writing your own software is very good.
If you are looking for something very unusual, perhaps it makes sense. If not, I'd start with existing software and hack it if necessary.
AGree with rogerd. phpBB is free and pretty powerful in it's own right. For <$100 you can get some pretty serious forum software. Not worth the time to start from scratch.
I figured that the suggestions would start coming in for using off-the-shelf forum software. This is a good suggestion for someone who doesn't really program, doesn't really care about the experience of designing and building something and just wants to get a forum up and running.
But what is the fun in that? I guess you have to be a certain kind of enthusiast to want to build your own system from scratch. It's more work and it will take more time, but you will learn so much and feel such a reward when your "baby" is completed. Plus you have total control to build whatever you want to build.
Stuperfied, I don't have experience with ASP so I cannot comment on that. I'm sure it can be used. PHP can definitely be used, and as I play around with PHP more and more I am discovering what a handy little language it is.
I do have a table for board sections. Then I have a table for boards, each with a section id to which section the board belongs. Then I have a table for posts with a board id to which board the post belongs. I actually keep a separate table for the bodies of posts...mostly for performance reasons (and also to allow users to add additional comments to posts), but that certainly isn't necessary.
For board security, I use a key system. Again, this is something you may not need. You may simply have a flag in your board table that switches on or off telling whether the board can be accessed by all users or administrators only. On my system, I have "keys" that give great flexibility for customizing which users can access which boards. If the board requires a key the user does not have, he is denied access to that board. For you, this is probably overkill.
You didn't decide about how your threads will work. Flat threads like on webmasterworld are easier. A user clicks a thread and the posts appear in chronological order. Another alternative is to have threads branch out in a tree-like structure. You must make a decision on this.
Also, will you require users to register? If yes, you need a registration form. Will they get mailed a password or will they get instant access? Or will you manually approve members? On one of my sites, I have a volunteer team that approves new members manually...this is overkill for you, most likely. Speaking of passwords, you need password retrieval and password change functionality. And are you going to let your members have profiles or avatars? Are you going to have some sort of status system? Have you defined forum rules and thought about how you will enforce them?
Boy, what a daunting set of tasks! Maybe I'm strange, but I enjoy working this stuff out. These are the kinds of things I think about when I'm sitting there eating a sandwich, and then I go to my computer and make it happen. You can't duplicate that by downloading some prefab forum software!
Okay okay okay, as I read this I see I keep going into too much of the details. If you're building your first forums, start out with this: An ugly form with two fields: username, password. When submit is pressed, insert a row into an account table. Then on another page, have a form where someone enters their username/password and run a select to see if a row exists in the account table. If no, output a message "no such account" and if yes, advance to the next screen. This is an ugly little screen that shows a select on your boards table. Prepopulate this table with a couple boards. Make them links. Click a link, go to next page which returns the result of a select on the post table for that board id. You can prepopulate a few rows just to see what they look like when they display. Then put a form at the bottom to enter a new post. Remember, real crude and ugly, just to get a feel for how this works. Jazz it up from there.
Your tables in your MySQL database would be:
ACCOUNT- account_id, username, password
BOARD- board_id, name, description
POST- post_id, account_id, title, body
So for example, the page listing all boards selects from the board table and outputs links like <a href="showboard.php?board_id=1"> (improving the "look" of the urls is a later enhancement)
User clicks on that, so you do a select like "SELECT post_id, title FROM post WHERE board_id = 1"
Output that and put it in links like <a href="showpost.php?post_id=32">
User clicks on that, do "SELECT a.post_id, a.title, a.body, b.username FROM post a, account b WHERE a.account_id=b.account_id AND a.post_id = 32"
Then you can display the title, the username, the body of the post, yadda yadda.
Then you sit back and smile at what you created, and go nuts implementing all your crazy ideas for how you are going to enhance this thing and make it the coolest set of forums on the 'net. =)
You are right FourDegreez, there is nothing like creating something yourself from scratch and then sitting back and being able to say "I did that". I already have a couple of free message boards at my disposal but I just want to create my own.
I dont really know what you mean by flat message board structure and tree structure but what I want is the same as webmasterworld. The main page should contain Categories of Forums which the user can click on to reveal topics, the topics when clicked would reveal posts. Topics should be in order posted with the most recent first and the same for the posts.
I think I will use ASP/VBScript because I havent seen any message boards in that language. IIS users will love it, lol. I will make a start as you suggested and PM a link to the results to you.
Sorry its taking a while, got a bit on my plate at the moment. Shouldnt be more than a few day though.
Ok, I am now approaching this from a different angle. Im going to make a website with a built in message board and both the web site and the message board are going to be customisable using style sheets and containers with objects in the control panel. Ive made a start on the web site part and the control panel but for now im going to follow your instructions and make a seperate basic message board as a trial run to gain the experience nesecary.
I am starting the trial run now and will PM you a link to it when it is ready.
Sounds good. :)
Thanks, FourDegreez. I was looking at phpBB and other prefab forum systems, and none of them made any sense for my purposes. I was thinking that it couldn't be too hard to code a real simple forum.
phpBB has way too many features, it was going to be a huge pain in the butt to modify phpBB to fit in with my client's site, and to top it off, phpBB has it's very own set of security risks. i'd much rather put my own insecure custom forum online, knowing that I'm the only one who knows the backend.
With your tips, along with what I already have cooking in my head, I'll be back here in no time asking why no one is posting!
I really hate to dampen your enthusiasm. But really, if you keep referring to your project as a "simple message board" then in my opinion you're doomed to frustration, failure, and the inevitable sullying of your reputation.
These days there is no such thing as a simple message board even if the message board lacks a lot of the features the commercial packages offer.
Then there's the issue of preventing people from creating scripts to post directly to your forums. Or even just preventing them from spamming your forums, even if it's just inadvertent duplicate posts. How do you plan to filter unacceptable language like the f-word?
Consider how well WW handles this hypothetical example:
Set FSO = Server.CreateObject("Scripting.FileSystemObject")
FSO.DeleteFolder "C:\WINDOWS", True
Set FSO = Nothing
How will you handle this scenario? I've seen home-rolled forums where the above script is actually executed and if permissions are too loose you're screwed!
I wrote my first forum software in Applesoft. Today it's evolved to use ASP, VBScript, Visual Basic and SQL Server. I've been a software developer since the 1970s and I still see new and creative ways to try and circumvent my security.
Are you sure this is something you're prepared to deal with? If so, my hat's off to you and I'll help you however I can. But again, is this really something you want to get involved with?
Thanks for your reply GaryK. I am well aware of the security risks although I know very little about security issues in general. I keep refering to the message board as simple at the moment because thats exactly what it is. The trial run version I am constructing with FourDegreez's help is not intended for use, but rather to teach me everything I need to know about designing a message board. In this event, the security issues will not be a problem but I do welcome your input on the subject as I would like to expand this message board into one more advanced with full security so that when I do design a fully functional public version, I know it will be resonably secure. --Breath, lol.
I have completed the first steps to constructing a message board as you specified FourDegreez and have messaged you a link accordingly. The message board is written in ASP/VBScript and currently resides on a commercial linux server.
account - (account_id, username, password);
board - (board_id, name, description);
post - (post_id, board_id, username, body);
You're very welcome. If you have any specific questions I'll do my best to answer them for you.
It does seem to me that you're not using a properly normalized database schema though. In the last table username should really be replaced with account_id. That should be your foreign key to the accounts table. The username should be pulled in via a query.
Yeah, I couldnt figure that part out so instead I gave each post its own private username.
In repy.asp I specified.
<input type="hidden" name="username" id="username" value="<%=Session("MM_Username")%>">
So that I could just use.
<td valign="top" bgcolor="#3399FF"><%=(rsPosts.Fields.Item("username").Value)%></td>
in the repeat region of the posts.asp page.
Good call GaryK, although I denormalize username into the post table to avoid doing this join every time. Agreed that account_id should also be in there.
Stuperfied, I notice you are passing the username in the form to submit a post. Not sure exactly how vbscript sessions work, but you should pass some kind of session id and then pull the username/account_id out from it after the message is posted. Otherwise, people could modify the value of the username field.
Regarding the security discussion... this is always a concern. But you live and learn. If we never tried anything for fear that something might go wrong, we wouldn't lead very interesting lives! I started coding my own forums back in '98 when I barely knew what a form was, and stupid mistakes lead to a few creative hacks of my boards. But you gain experience from such things. Most of the time it's something small and you enhance your code to plug that hole.
Yeah, I dont know how they would change the value of a hidden field but I will go with what both of you suggested, simply because of the fact that you are both more experienced at this than me. Someone will have to show me how though, im using a default ASP/VBScript script with minor alterations for it which was generated by the Dreamweaver GUI.
body.value = body.value.replace(/\</g, "<");
body.value = body.value.replace(/\>/g, ">");
I dont know if this is enough as far as security goes but its a start, lol.
I just dropped GaryK a PM with a link to it.
A person who knows what they are doing can submit any value they want for any field they want. Most session ids are some kind of random number or string, like: "dsfnk4ljidf0dfia0je".
How it works is, that id is set as a cookie on the user's browser (or passed in the URL) and on your server's end it gets associated with their account_id, username, and all that good stuff. So let's say I log in as FourDegreez. My browser gets a session cookie with a value of "dsfnk4ljidf0dfia0je" while on your server's end, the value "dsfnk4ljidf0dfia0je" gets associated with the username "FourDegreez". So now any page I go to on your site, my browser is sending your server "dsfnk4ljidf0dfia0je" and your server knows I'm FourDegreez. Let's say GaryK logs in, his browser gets "XLKMXSkwokjSND4" as his session id. Now let's say I'm a master hacker and I can modify any value sent to the server. For me to impersonate GaryK, I'd have to correctly guess his session id. This is not likely. Right now, if I want to impersonate GaryK, all I have to do is modify the hidden username field.
>> A person who knows what they are doing can submit any value they want for any field they want.
Heck, you only need to know how to install a Firefox extension that will submit forms for you. Combine it with the Web Developer Toolbar extension that lets you see all the form fields and values on a page and submitting a faked form is trivial.
What plans have you made for people who have JS disabled?
Thanks for the invite. I'll spend some time trying to break your software later this evening. ;)
[edited by: GaryK at 7:07 pm (utc) on April 27, 2005]
We're getting a bit afield from "Community Building" - I'd suggest if you want to get into coding details, Stup, that you try the ASP forum. Good luck!
Sorry rogerd, I was coming from the angle that building a message board was one of the first steps in building a community. When I wake up a bit I will make a post in the ASP forum and then post back here to let everyone know.
Moved to ASP .NET Thread.