Axamol Message Board

What is it?

Axamol Message Board is a web-based message board with a solid relational schema, a well-defined rich-text format for messages, and excellent code organization. Since it uses Axamol SAX Pipeline, I'm confident that it has no cross-site scripting vulnerabilities.

It is not a complete message board system—it may become one someday, but for now it is missing important features. If you just want a message board to use today, you should look elsewhere.

Where can I see it?

I've got a live demo here.

What's so great about this design?

It has a solid relational schema. You can look at a (somewhat old) diagram here. Other messageboards seem to have many elementary mistakes; one even has a separate table for each forum, which violates several important principles. Mine is completely normalized. I may end up storing some denormalized data if performance shows it's necessary, but never until a need is shown.
It has good code organization. It separates the core code into four main pieces:
- Java actions, which handle authentication, actually update the database, and redirect to the appropriate presentation page. (They live in this directory in the repository.)
- AFP (JSP-like) presentation pages, which gather and format data. (They live in this directory in the repository and the WEB-INF subdirectory.)
- XSL templates, which fill in the finer details. (They live in this directory in the repository.
- A library of SQL queries and DML statements. (Autogenerated documentation).
These different layers improve readability by letting you focus on one thing at a time. They also allow me to make the code considerably less redundant. There's a little mixture between the layers where I decided that practical matters outweighed theoretical perfection.
It's more secure — completely invulnerable entire classes of vulnerabilities. I am certain that there are no
- buffer overflows or format-string vulnerabilities, since it's written in Java. (This much is true for many other messageboards.)
- SQL injection vulnerabilities, since I always use bind variables with parameters. Many other messageboards attempt to quote every parameter every time and inevitably forget. I let bind variables take care of that for me.
- Cross-site scripting attacks, since my XFP pages use SAX to serialize data. SAX correctly escapes by default — when I want something to be handled as XML, I say so explicitly.

Can I use the SQL libraries and AXP pages in my own projects?

Yeah, those are separate chunks of software called Axamol SQL Library and Axamol SAX Pipeline.

What needs to be done?

Test it with a large database and check the performance. I don't know how it will perform in this situation—SQL query execution plans are tailored to the data. The optimizers in databases such as PostgreSQL and Oracle not only look at the number of records before generating an execution plan, but also do a surprisingly sophisticated statistical analysis. Thus, it's difficult to create dummy data for performance testing. The currently-generated execution plans will perform well only for small databases, but this is normal.

I suspect there will be performance problems in some of the queries. It may be necessary to create triggers to maintain some denormalized data for speed. However, I will not do so unless (or until) the need is clearly demonstrated.

The security could be improved even more. The web application should have a RDBMS user with the minimum necessary privileges, as another layer of security. This is just a matter of adding some grant statements and possibly moving some things into views and stored procedures.

And there are tons of missing features:

any administrative features
breaking up large comment blocks into multiple pages
"text-only" / "mixed" modes for entering text, friendlier than expecting people to produce well-formed XML fragments.
more control over email notifications