Use Ajax To Stop Spammers

Hello first time visitor!

Some time ago I wrote about how to stop spammers without Captcha. The technique described there works pretty sweet on several sites already, but there is a way to go even further.

The Problem

Well to be frank, the spam protection described in the previous post works at 100% already in several sites. But in theory if you use that tactic the spammers can easily go around it. They can build a script especially for your site which to check the value in your javascript function and place it in the hidden field.

Let’s make things better

Let’s involve some Ajax to make the spammer’s life even harder. What if instead of using a hardcoded value for the hidden field, you use a key/value combination from a database. When loading your web form, retrieve a single key/value pair from the database. Put the $key in $_SESSION so you have it after submit. Use the key for an ajax function like this (for easy ajax I use Scripaculous):

new Ajax.Request(“?action=ajax_retrieve_value.php”
parameters: {ajaxkey: ‘<?=$key?>’},
onSuccess: function(transport)
var response = transport.responseText || “no response text”;

The script ajax_retrieve_value.php will retrieve the value corresponding to the key and the javascript function places it in the hidden field.

On submitting the form all you need to do is to run another query and see if the key which is in $_SESSION corresponds to the value coming from the hidden field.

If your ajax_retrieve_value.php checks $_SERVER[REMOTE_ADDR] and allow only the IP of your server, you are spam-proof. Without Captcha at all.

3 Responses to “Use Ajax To Stop Spammers”

  1. Nice idea, I might borrow it for

  2. What if I have javascript disabled? Will you not allow me to use your site? No, you must have a way for it to work for those with javascript enabled. And the spammers will use that method to get in.

    I really hate those javascript disablers…. always making life more difficult.

  3. If you have javascript disabled, you won’t be able to comment. I don’t think anyone should care about disabled javascript. It’s not 1998 anymore, ajax is everywhere. If people want good web experience they should have javascript enabled.

Leave a Reply