• Avoiding Comment Spam with JavaScript

    Aug 16 2006

    Originally I explained this on the Code Igniter forum, and since others are blogging it, I thought I should bring it here.

    I guess I was nervous about sharing my anti-spam techniques on my own blog in case any spam bots are smart enough to read this article and somehow mutate and adapt. We'll see.

    For a while, I had no problems with comment spam. Then I started to get a couple. Then one day I got like 50 at once, so I did something "extreme" - I made it so users have to have JavaScript to submit comments. I have a randomly generated spam key in PHP, and then use something like this on the page:

    <form id="cform" style="display:none">
        <input id="txtauthor" name="<?= $spam ?>a"/>
        <input id="txtemail" name="<?= $spam ?>e"/>
        <input id="txturl" name="<?= $spam ?>u"/>
        <textarea id="txtbody" name="<?= $spam ?>b" rows="10" cols="40"></textarea>
        <input type="hidden" id="antispam" name="antispam"/>
    <script type="text/javascript">
        document.getElementById('cform').style.display = 'block';
        document.getElementById('antispam').value = '<?= $spam ?>';
    <noscript>Sorry, you need JavaScript to post comments.</noscript>

    So if the spam key is 'xxxx' the author field is 'xxxxa', email 'xxxxe', etc. The spam key is filled using JavaScript. Then on the server side I do this:

    if (isset($_POST['antispam'])) {
        $antispam = $_POST['antispam'];
        $cauthor = $_POST[$antispam . 'a'];
        $cbody = $_POST[$antispam . 'b'];
        $cemail = $_POST[$antispam . 'e'];
        $curl = $_POST[$antispam . 'u'];
        if ($cbody && $cauthor)
            addComment($id, $cemail, $cauthor, $cbody, $curl);

    This has majorly cut down on the number of comment spam I get. I still get the occasional one here and there, but they must all be done by hand instead of with some automated bot.

    Unfortunately, this method means that users without JavaScript can't post comments on here. I regret that, but since nobody posts comments on here anyways, I figure it's not such a loss. :) One day, I would like to add some kind of captcha or approval system to allow posting of comments without JavaScript.

  • Comments

    1. donn at 12:59pm on January 25, 2007


    Thanks for this. I was looking for a solution to my comment spam and your stuff was easy to integrate into my site.


    2. Anonymus at 9:28am on March 29, 2008

    Why not just use the code at http://javascriptkit.com/script/script2/accept_term.shtml and make the users confirm that they are NOT spamming.

    3. bugstomper at 9:42pm on September 12, 2008

    Even simpler, with no server side stuff required, why not set the action field of the form to a bogus URL such as http://example.com/nospam.html and then have the javascript set document.getElementById('cform').action="theRealURL.php"

    That way the spambots don't even try to post to your server, they just waste time on the failed DNS lookup of example.com, and you don't have to check for secret spam fields on your server.

    4. Jesse Skinner at 9:48am on September 13, 2008

    @bugstomper - That is a good idea. However, I have since revamped my solution to build in a very simple CAPTCHA into the form which is pre-populated using JavaScript. This way users with JavaScript disabled are still able to submit comments.

    That said, your solution would work very well if the alternate URL was a CAPTCHA page on my own site, an intermediary test where users without scripting could prove that they are human.

    5. vietnamnews at 11:29pm on November 2, 2008

    this java scripts still can easy bypass, I'm still looking for good way prevent spammer from auto + manually spam my comment. I got some spammer who using auto fill form software, and he change ip every time posting, even clean cookies, resisted new nick name every time, change domain or key word on commments .. i never seen this kind of man doing comment or posting like this.. i using every way sugges from other webmster ( block ip, block keyword, write cookies to track him, block domain, block email, using catpcha, time between post or comments, resisted for making comment, 3 day affter registed can post urls, atless 3 post before post url .. but he still work out :(
    the problems is my forums must alow people posting link on their post in some way ..

    6. Big Ted at 2:03pm on November 24, 2008

    Hi great script does this version include the CAPTCHA? or are you still working on this.

    7. china wholesale at 1:01am on November 17, 2010

    Nice,I love it.

    Commenting is now closed. Come find me on Twitter.