Building a PHP-driven Comment Form

My site is built in Jekyll but I wanted to ability to accept comments from visitors. I do not host with Netlify or similar so those cool Jamstack options were not available. Instead, I figured out a way to build it with JS and PHP since the server I host with allows PHP scripts.

  • My pages contains a hollow form ready to accept an AJAX-injected snippet of PHP. The form action is another PHP file
  • The JS loads the PHP into the page after 15 seconds. Most human visitors will take at least that amount of time to get the form and write their message, but in case they get there too fast, a button press will load the form immediately on the page for them to fill out
  • The PHP injects a date and time which the post destination Mailer form checks, as well as other Spam checks. The results of the spam checks are logged to PHP error logs
  • The Mailer form requires a POST object with a date time in order to be processed. Further, mail is only ever sent to my email, so if a bot did find it and did manage to clear the requirements, it would only be able to send mail to me

I’ve had this in place for a little over a year now and have not seen ANY spam but I have seen real comments come through to my email address. Then I post the comment to my anecdote.yml file.

I do worry about security, though, so while I am happy with this approach, if anyone sees a big security hole I’d love to hear about it.