Here is very simple way to solve this problem.

1. Use links with onclick attribute like this:

<a href=”some_url” onclick=”loadContent(page);return false;”>Load Page</a>

The search engines will follow the URL you have given to the “href” attribute. The browser will not follow it because of the “return false” statement in the onclick.

If you are using click handler with jQuery or similar library, follow the same logic.

Your ajax function (in this case called loadContent) should also call the same “some_url”

2. Make sure your system makes difference beetween calling some_url by ajax and calling it normally. This can happen very easy if you add a POST parameter to your ajax request. Then on the server side you can simply check whether the paremeter is there or not.

3. If the request comes by ajax, return only the piece of content that must be loaded in the ajax placeholder in your original page.

If the request does not come by ajax, load a full page with navigation and everything. Why is this needed? Because search engines may index these direct URLs and send traffic there. When real visitor lands on such page you want them to see your full site design with header, footer and navigation, and not just the piece of content that the ajax call needs to load.

I think there’s no need of examples, but if it’s unclear let me know in the comments.

- “Hey, this software is giving me errors! Fix it ASAP!”
Comment: What errors? Which software? Don’t think that the tech guy is in your head.

- “Open this URL: xxxxxxxxxxxxx. Go to A. Then do B. Then click on the green triangle. Then login as XXX/YYY. Try to add ZZZ as a friend. See what’s happening!”
Comment: Why the heck didn’t you just tell me that you were seeing an error?

- “The feature XYZ is not working!!!”
Comment: What exactly is not working? Is it giving an error? Is the screen going blank? How did you understand it’s not working?

- “I’m doing this and that and then the program does that and this”.
Comment: So… why are you telling me this? Is there something wrong in what have happened and if yes, what is wrong?

- “I saw the code, you are using XYZ (recursion, global variable, function instead of class or whatever he thinks is wrong). This is not the right way, I have a friend in Oracle and they are using ZYX!”
Comment: just because the guys in Oracle use something, it doesn’t mean it’s good for your case.

Here is the right way to ask for tech help when there is a problem:

“I have a problem with XYZ. It should do A, but it does B. Here is how to reproduce:… (if asked)”

Or to elaborate a little bit: start with the problem. Don’t tell me to go somewhere and do this or that but tell me what exactly is wrong and why do you think it’s wrong. If there has been an error, copy it and send it to me. If the program is showing a blank screen, tell me it’s a blank screen. If the function is returning wrong result, tell me that and let me know what you think is the right result. Don’t just tell me “it doesn’t work”. This makes the tech support mad and doesn’t bring any useful information. If asked, be ready to explain how to reproduce the error.

Following this pattern you will get your problem solved quickly. Often the tech guys can fix a problem in a minute if you give them the SQL error you have seen on the screen and can lose hours trying to figure out what eventually you could have done so it resulted in some error.

1. Ajax does not declare functions

If you hope to declare functions in Ajax loaded javascripts and call them during execution time you’ll get an unpleasant surprise. It does not work. You need to declare your functions in the loaded page, not in the ajax response. However if you want to call existing functions in your ajax-generated code, no worries, go ahead.

2. IE caches GET requests

Internet Explorer knows how to cache the ajax response and is not afraid to do it. In fact it loves cache so much that you won’t be able to use the dynamic effect of Ajax call to the database if you send your request by GET. If your ajax calls the database, stupid IE keeps returning cached data even if you refresh the entire page.

Solution: Use POST calls. I know it’s slower, but how does it matter when GET does not work well?

3. Ajax does not upload files

If you have an ajax loaded page and you want to include a file upload field in it, I have “great” news for you: it does not work. What, is it not news? Poor you, you have already realized one of the ugliest limitations of ajax. Because of it, the developers need to all kind of gimmicks or use third party scripts with hidden iframes to make file upload works. That’s far away of web standards, user friendly code and search engines.

Hey, if all your users are geeks who browse with Firefox and like to poke config files, you can use this idea. Cool, eh?

4. Ajax causes memory leaks

See here.

5.  How To Make Back/Forward Buttons Work On Ajax Page?

No, this is not a rhetorical question, I am really asking you how. Because I don’t know. Wait, I asked Google and he said this. Does it look simple to you?

Ajax Sucks For SEO

If all you care is to make fancy website, go ahead, use ajax everywhere. If you partner with popular websites or have big bucks for advertising, you’ll have no problems. What, do you say you are on a budget and hope to get visitors from the search engines? Forget either about Ajax or about Google.

Do you know more things that Ajax makes to help you look dumb? Go ahead, share them.

P.S. No, I am not saying don’t use ajax. I’m just pointing few things that suck.

Enjoy the plugin here.

The Problem

Well to be frank, the spam protection described in the previous post works at 100% already in several sites. But in theory if you use that tactic the spammers can easily go around it. They can build a script especially for your site which to check the value in your javascript function and place it in the hidden field.

Let’s make things better

Let’s involve some Ajax to make the spammer’s life even harder. What if instead of using a hardcoded value for the hidden field, you use a key/value combination from a database. When loading your web form, retrieve a single key/value pair from the database. Put the $key in $_SESSION so you have it after submit. Use the key for an ajax function like this (for easy ajax I use Scripaculous):

new Ajax.Request(“?action=ajax_retrieve_value.php”
{
method:’post’,
parameters: {ajaxkey: ‘<?=$key?>’},
onSuccess: function(transport)
{
var response = transport.responseText || “no response text”;
$(‘hidden_field’).value=response;
}
});

The script ajax_retrieve_value.php will retrieve the value corresponding to the key and the javascript function places it in the hidden field.

On submitting the form all you need to do is to run another query and see if the key which is in $_SESSION corresponds to the value coming from the hidden field.

If your ajax_retrieve_value.php checks $_SERVER[REMOTE_ADDR] and allow only the IP of your server, you are spam-proof. Without Captcha at all.

Who knows why (seriously, do you know WHY?) groups of PHP developers keep working on PHP template engines which are supposed to help separating the program logic from the design. One good sample of such useless effort is Smarty.

So Why Smarty Is Evil?

What exactly is Smarty and the similar template engines doing and why is it so bad for your programs to use them? Let me just shoot few reasons:

• Adding one more language to learn. Smarty has its own language which has to be used in the templates whenever you need control flow structures etc. How exactly is this better than using PHP itself?
• Putting presentation code in your logic. They claim to avoid that and at the same time require you to “load” all the variables before you can use them in the template. The absurdic $smarty->assign may take more lines in your code than you need for the program logic.
• Messing Javascripts. Some of the template engines (you guesses it, Smarty again!) don’t let you write normal javascript code in the templates because that crashes their own parser. How convenient!

It’s hard to believe, but most programmers would visit Why Use Smarty page and take everything said there for real. However I prefer to think myself:

“Designers can’t break application code. They can mess with the templates all they want, but the code stays intact. The code will be tighter, more secure and easier to maintain.”

- Really? Designers can break the application code, because the templates (view layer if you use MVC) contain logic themselves. In no way the template engines protect you from that

“With presentation on its own layer, designers can modify or completely redesign it from scratch, all without intervention from the programmer”

- Big fat lie. The programmer needs to load all variables, prepare arrays and do presentation related work in the controller layer. The presentation is not on its own layer so the designers often need the programmer’s help.

“Programmers aren’t messing with templates. They can go about maintaining the application code, changing the way content is acquired, making new business rules, etc. without disturbing the presentation layer.”

- See all the points aboe. The programmers do mess with the templates.

“Templates are a close representation of what the final output will be, which is an intuitive approach. Designers don’t care how the content got to the template. If you have extraneous data in the template such as an SQL statement, this opens the risk of breaking application code by accidental deletion or alteration by the designer.”

- If the programmer puts SQL statement in their view layer, then they simply need some education. Using simple PHP templates you can and should keep all the logic away from the presentation layer. You don’t need Smarty, Fast templates or similar misconceptions.

So How Do You Go Without Template Engines?

PHP is template language itself. You don’t need another one. Just separate your logic from your presentation. Keep your logic in a php script, then your presentation in HTML template. When you need control flow in the HTML file, just use pieces of PHP code.  It’s really as simple as that. In your PHP script you can use include  or require to display the template. All the variables which are in the scope of the script will be available in the template as well. No loading required, no messy presentation code in the controller layer.

If you need samples, just let me know (hint, use the comment option).

But they are boring.

The Captcha can significantly decrease the rate of feedback (comments) you get on your blog, the contact inquiries you receive, the registrations on your membership site or even the orders on your e-store.

They are discriminative to people who can’t see well and often confuse these who are not used to them.

Some Captcha-s are hard to be “decoded” even from a well seeing person.

By rough estimate requiring the users to enter Turing code can decrease their participation with up to 50% percents.

There are some other methods to stop the spam bots, which are less discriminative than the Captcha. For example some blogs will ask you “How much is 1 + 5″ or “Is the fire hot or cold?” to check if you are human and not a bot. These methods are good, but they also require the active participation of the user and can push them off.

The Elegant Solution To Stop Spam Bots

I implemented this solution for a site which was using custom coded by me CMS system. There were no Turing codes or any other tools to prevent from spamming and the site quickly get flooded with spam comments.

Let me take you straight to the solution. It sopped 100% of the spam comments:

1. Create a hidden field in the feedback (comment, registration or whatever) form
2. Add Javascript code which fills some specific value in this field when the document get loaded
3. When the form is submitted, check if the hidden field has exactly the value which should have been filled with the Javascript code. If it does not have it, then the comment is spam.

Here is an example:

<script language=”javascript”>
function cheatSpammers()
{
//give the hidden field some meaningful name, like for example “website”. The spambot
//will fill it with some crap or will ignore it document.getElementById(“website”).value=”http://google.com/”;
}
</script>

Now in the body, start the function:

<body onload=” cheatSpammers();”>

Then in the contact/comment form, add the hidden field. We will not make it “hidden”, to avoid smarter bots which can mark such field as suspicious. Instead, we’ll make it hidden with CSS:

<style type=”text/css”>
.websitefield
{
display:none;
}
</style>

<input type=”text” class=”websitefield” name=”website”>

This is VERY simple and it works 100%. The spam bots cannot run Javascript. Only browsers can do.

Of course, if a spammer write a spam bot especially for your site, they can just take the value from the javascript and fill it. But the spammers use generic bots for many sites, so this simple solution works perfectly.

Do you have even better ideas how to outsmart the spammers? Please share!