Forum Moderators: rogerd
They can be written in any language. I'd bet a lot of people would recommend PHP. In the past I've used the somewhat obscure Mivascript, which got the job done. More recently I've used Java. You have to determine how you are going to thread messages and how you are going to store them. I don't recommend using the file system. You want to use some sort of relational database like MySQL. The combo of PHP and MySQL has become a classic pairing, however I prefer the PostgreSQL database and that's what I use in combination with Java.
In your database you want to create a table listing the boards/forums. Then you want to create a table for storing individual posts. If you want threads to have a hierarchy, you need to store a parent id for each post. Top-most posts will have a null parent id or some predefined constant value, such as -1. Another field in your post table will be the board id of the board the post belongs to. If your threads are flat like webmasterworld, you could order them for display based on a unique, incrementing id. Of course you'd want to store date/time, user name, title, and other information.
That's as simple as it gets. If you want user registration, you're talking about creating more tables to store user accounts, with flags for activating/deactivating them or listing their "status level" (if you want such a system) or total number of posts, etc. If you want premium boards, you'd have another flag on each account that you can flip on and off from some admin screen to allow or disallow users from accessing certain boards.
I feel like I'm rambling here, so if you have more specific questions I'll try to answer them. I've designed and built some rather advanced online community stuff so I can probably give you more specific pointers.
Yes, you are correct. I am concidering constructing an entire message board from scratch. Since I have no experience in the area, I thought it wise to seek advice from others who have themselves undertaken the task.
I am afraid I do not know Java. I currently have ASP, PHP, Perl and MySQL at my disposal, although it would not be too much trouble to add more but im afraid I am stuck with the MySQL.
I know that for a task of this size, As you have pointed out, I must plan what features and structure I want in advance. I must also make conciderations in my code so as to allow new features to be added as easily as possible.
It would probably be best if I start off small and make only a very simple message board at first with limited features. I should probably also use a language which I am both familiar and comfortable with. Would ASP/VBScript with MySQL suit this task or should I use PHP which I am currently learning?
I can theorise on some of the features I might include in my Message Board if I brain storm a bit such as:
Login
Admin
Control Panel
*Categories
*Forums
*Topics
*Posts
*Confirmation pages
User Authentication
BB Code
Smilies
Private Messages
Email Notification
Profiles
Style Sheets
Skins
There are undoubtably a lot more to concider although I will only require a few of these for my simple Message Board which I have indicated with an asterix. Can you think of any other simple features which I might need to concider for my simple Message Board asside from the ones you have already mentioned:
Of course you'd want to store date/time, user name, title, and other information
I like your idea of storing the boards forums seperately from the posts and giving the posts order and forum keys. Should I not also create another table for categories? Also, what would be the best way of storing the date/time, username, title etc?
If you are looking for something very unusual, perhaps it makes sense. If not, I'd start with existing software and hack it if necessary.
But what is the fun in that? I guess you have to be a certain kind of enthusiast to want to build your own system from scratch. It's more work and it will take more time, but you will learn so much and feel such a reward when your "baby" is completed. Plus you have total control to build whatever you want to build.
Stuperfied, I don't have experience with ASP so I cannot comment on that. I'm sure it can be used. PHP can definitely be used, and as I play around with PHP more and more I am discovering what a handy little language it is.
I do have a table for board sections. Then I have a table for boards, each with a section id to which section the board belongs. Then I have a table for posts with a board id to which board the post belongs. I actually keep a separate table for the bodies of posts...mostly for performance reasons (and also to allow users to add additional comments to posts), but that certainly isn't necessary.
For board security, I use a key system. Again, this is something you may not need. You may simply have a flag in your board table that switches on or off telling whether the board can be accessed by all users or administrators only. On my system, I have "keys" that give great flexibility for customizing which users can access which boards. If the board requires a key the user does not have, he is denied access to that board. For you, this is probably overkill.
You didn't decide about how your threads will work. Flat threads like on webmasterworld are easier. A user clicks a thread and the posts appear in chronological order. Another alternative is to have threads branch out in a tree-like structure. You must make a decision on this.
Also, will you require users to register? If yes, you need a registration form. Will they get mailed a password or will they get instant access? Or will you manually approve members? On one of my sites, I have a volunteer team that approves new members manually...this is overkill for you, most likely. Speaking of passwords, you need password retrieval and password change functionality. And are you going to let your members have profiles or avatars? Are you going to have some sort of status system? Have you defined forum rules and thought about how you will enforce them?
Boy, what a daunting set of tasks! Maybe I'm strange, but I enjoy working this stuff out. These are the kinds of things I think about when I'm sitting there eating a sandwich, and then I go to my computer and make it happen. You can't duplicate that by downloading some prefab forum software!
Okay okay okay, as I read this I see I keep going into too much of the details. If you're building your first forums, start out with this: An ugly form with two fields: username, password. When submit is pressed, insert a row into an account table. Then on another page, have a form where someone enters their username/password and run a select to see if a row exists in the account table. If no, output a message "no such account" and if yes, advance to the next screen. This is an ugly little screen that shows a select on your boards table. Prepopulate this table with a couple boards. Make them links. Click a link, go to next page which returns the result of a select on the post table for that board id. You can prepopulate a few rows just to see what they look like when they display. Then put a form at the bottom to enter a new post. Remember, real crude and ugly, just to get a feel for how this works. Jazz it up from there.
Your tables in your MySQL database would be:
ACCOUNT- account_id, username, password
BOARD- board_id, name, description
POST- post_id, account_id, title, body
So for example, the page listing all boards selects from the board table and outputs links like <a href="showboard.php?board_id=1"> (improving the "look" of the urls is a later enhancement)
User clicks on that, so you do a select like "SELECT post_id, title FROM post WHERE board_id = 1"
Output that and put it in links like <a href="showpost.php?post_id=32">
User clicks on that, do "SELECT a.post_id, a.title, a.body, b.username FROM post a, account b WHERE a.account_id=b.account_id AND a.post_id = 32"
Then you can display the title, the username, the body of the post, yadda yadda.
Then you sit back and smile at what you created, and go nuts implementing all your crazy ideas for how you are going to enhance this thing and make it the coolest set of forums on the 'net. =)
I dont really know what you mean by flat message board structure and tree structure but what I want is the same as webmasterworld. The main page should contain Categories of Forums which the user can click on to reveal topics, the topics when clicked would reveal posts. Topics should be in order posted with the most recent first and the same for the posts.
I think I will use ASP/VBScript because I havent seen any message boards in that language. IIS users will love it, lol. I will make a start as you suggested and PM a link to the results to you.
I am starting the trial run now and will PM you a link to it when it is ready.
phpBB has way too many features, it was going to be a huge pain in the butt to modify phpBB to fit in with my client's site, and to top it off, phpBB has it's very own set of security risks. i'd much rather put my own insecure custom forum online, knowing that I'm the only one who knows the backend.
With your tips, along with what I already have cooking in my head, I'll be back here in no time asking why no one is posting!
Thanks,
Dan
These days there is no such thing as a simple message board even if the message board lacks a lot of the features the commercial packages offer.
As just one small example, how will you prevent your members from entering harmful HTML tags, JavaScript or even whatever scripting language you use?
Then there's the issue of preventing people from creating scripts to post directly to your forums. Or even just preventing them from spamming your forums, even if it's just inadvertent duplicate posts. How do you plan to filter unacceptable language like the f-word?
Consider how well WW handles this hypothetical example:
<%
Set FSO = Server.CreateObject("Scripting.FileSystemObject")
FSO.DeleteFolder "C:\WINDOWS", True
Set FSO = Nothing
%>
How will you handle this scenario? I've seen home-rolled forums where the above script is actually executed and if permissions are too loose you're screwed!
I wrote my first forum software in Applesoft. Today it's evolved to use ASP, VBScript, Visual Basic and SQL Server. I've been a software developer since the 1970s and I still see new and creative ways to try and circumvent my security.
Are you sure this is something you're prepared to deal with? If so, my hat's off to you and I'll help you however I can. But again, is this really something you want to get involved with?
I have completed the first steps to constructing a message board as you specified FourDegreez and have messaged you a link accordingly. The message board is written in ASP/VBScript and currently resides on a commercial linux server.
Tables
account - (account_id, username, password);
board - (board_id, name, description);
post - (post_id, board_id, username, body);
It does seem to me that you're not using a properly normalized database schema though. In the last table username should really be replaced with account_id. That should be your foreign key to the accounts table. The username should be pulled in via a query.
In repy.asp I specified.
<input type="hidden" name="username" id="username" value="<%=Session("MM_Username")%>">
<td valign="top" bgcolor="#3399FF"><%=(rsPosts.Fields.Item("username").Value)%></td>
Stuperfied, I notice you are passing the username in the form to submit a post. Not sure exactly how vbscript sessions work, but you should pass some kind of session id and then pull the username/account_id out from it after the message is posted. Otherwise, people could modify the value of the username field.
Regarding the security discussion... this is always a concern. But you live and learn. If we never tried anything for fear that something might go wrong, we wouldn't lead very interesting lives! I started coding my own forums back in '98 when I barely knew what a form was, and stupid mistakes lead to a few creative hacks of my boards. But you gain experience from such things. Most of the time it's something small and you enhance your code to plug that hole.
In the area of security, I have placed the entire body's contents into one main divide. I have also placed an onClick javascript event on the submit button which hides the main divide and then performs the following actions:
body.value = body.value.replace(/\</g, "<");
body.value = body.value.replace(/\>/g, ">");
I just dropped GaryK a PM with a link to it.
How it works is, that id is set as a cookie on the user's browser (or passed in the URL) and on your server's end it gets associated with their account_id, username, and all that good stuff. So let's say I log in as FourDegreez. My browser gets a session cookie with a value of "dsfnk4ljidf0dfia0je" while on your server's end, the value "dsfnk4ljidf0dfia0je" gets associated with the username "FourDegreez". So now any page I go to on your site, my browser is sending your server "dsfnk4ljidf0dfia0je" and your server knows I'm FourDegreez. Let's say GaryK logs in, his browser gets "XLKMXSkwokjSND4" as his session id. Now let's say I'm a master hacker and I can modify any value sent to the server. For me to impersonate GaryK, I'd have to correctly guess his session id. This is not likely. Right now, if I want to impersonate GaryK, all I have to do is modify the hidden username field.
Heck, you only need to know how to install a Firefox extension that will submit forms for you. Combine it with the Web Developer Toolbar extension that lets you see all the form fields and values on a page and submitting a faked form is trivial.
>>onClick javascript event on the submit button
What plans have you made for people who have JS disabled?
Thanks for the invite. I'll spend some time trying to break your software later this evening. ;)
[edited by: GaryK at 7:07 pm (utc) on April 27, 2005]
