Phil Dreizen now with more comments! (alpha)

Because at least two people have requested that I add comments, I've implemented a comment system. This isn't well tested by me or anything, so if you encounter bugs please let me know about them! And please, make feature requests. To leave a comment, you'll need to sign in with a 3rd party, like google or yahoo.

Adding comments introduces some...issues. So I wasn't originally in a rush to get it done.

The first issue is trying to combat spam. There are lot's of options to deal with it. Widely used options like recaptcha are in a war of escalation with spammers. As a result they've gotten so difficult to read, I find them too hostile to non-spammers like me. I considered rolling my own Ascii Captcha - it would generate random words in ascii art, and prompt the user to enter the word generated. (In fact, I DID develop this and chose not to use it...yet...) Though a system like this would be fairly easy to break, any time spent doing it would be specific to, and not really worth a spammers time. There are services like akismet that probably use baysian categorizers and the like to guess if a particular comment is spam. akismet is widely used right now, it's probably a good choice. Right now I don't have any of these in place...I'm hoping that since I'm requiring an openid login, spam will be reduced, though I don't actually know that it will help in anyway. I do have a simple honey pot in place. Apparently, spambots can't resist filling in form fields, and so I have a form field (no display) that must be left blank for a successful comment submission.

Then there's the concern that comes with any user submitted data: security. Inviting users to comment invites users to try break into the site. (Things like SQL injection). And, especially since comments are displayed right back on the page, another concern is users leaving malicious javascript code in the comments they leave (XSS). Third party libraries like htmlpurifier help with the later at least.

And what to do about anonymous users? I ultimately decided that having some kind of identity will reduce flaming. So, in order to leave a comment, you'll need to authenticate using OpenID. You'll be able to use lots of services (Google,Yahoo...) to authenticate this way.

Finally is the fact that there will be bugs. So I'm looking forward to angry friends telling me how they tried to leave a comment but couldn't. Why did I bother implementing this from scratch again?



May 20, 2013, 4:02 am

This is a comment on a post about comments. How self-referential!


May 20, 2013, 9:59 am

Heh, I was hoping there would actually be a field that said "Do not write in this space" so that I could pull a Homer and write "Okay." But yay! Comments! One thing thought -- I had to click on "permalink" under your post to get to the comment field. Perhaps add a comment button under each post?


May 20, 2013, 1:18 pm

Since the permalink and the comments link would go to the same place, I didn't make them both links. But most places do. So, I changed it -- there's a comments link now as well.


May 21, 2013, 7:45 am

I would be interested in logging spam attempts: the content that comes with the invisible form field filled (or in the case of captcha - failed captchas themselves and the content that comes with them). It's probably a good training set for a Bayesian spam filter. I also noticed you have no logging that I can see (beyond what you get from your server logs). I really liked the statcounter tracking - it's filled with awesome features, and is freeee. In the context of comments / captcha / logins, I'm kind of curious (a) how many people click the comment button but never actually comment; (b) how many bots actually scan the website. One last thing: the archives only contain 'content' (movie reviews) but no 'meta content' (like this post). Grrr :p


May 21, 2013, 4:19 pm

Saar, when you say you're interested in that data about comments, are you asking me to share it with you? I'm up for it, if that's what you're asking. I'm sure that, when it comes to the honey pot and the captchas, it would be good training for a bayesian spam filter. Bots are constantly hitting my site, btw. An interesting thing I've been seeing is fake links. I keep getting requests for pages that are clearly not on my site, like "". I'm guessing some webservers never give a 404 on a bad link, and thus a working link like this would something for somebody's pagerank?
As to logging - you're correct. I was gonna add google analytics the other day, but was stopped due to some kind of bug they were having. But I'll take a look at statcounter.
As to the archives: each post has a series of tags, and clicking on them should lead you to a page that has all posts that have that tag, reverse sorted by time. The most "meta content" related tag is "" which are posts that are about "". The archives section is somewhat redundant because of the tags, but I figured certain kinds of content might be best displayed in a custom ordering, depending on the kind of content it is. I'm sorting movie reviews by title, for example. (I'd probably cover over 80% of all cases if I just got rid of the archives section and gave the user the option to sort tags by time or by title). But, your point is taken. I think I'll add a tag cloud to the archives page to make things clearer.