phil ringnalda

Who, me?

An XML-RPC interface to a commenting script could also make it easy for malicious users to abuse it–ie: writing a program to flood scripts with posts would be that much easier through the use of such a universal interface and API.

Oh, not really. If you could post a new comment with just the blogID, it would certainly be a comment-spammer’s dream come true, but since you’ve got to have the (generally easily generated) blogID and the (nearly impossible to guess) postID to send newComment, it’s really not that prone to abuse: I could write a script (or even a HTML+JavaScript page) to post every couple of seconds, randomly changing the name/email/text just in case you are trying to avoid double posting by looking at the previous post in the thread (which, by the way, is a really good idea you ought to steal from YACCS) about as easily as doing an API client. I’d have to change the names of the vars in my post to switch from one comment system to another, but that wouldn’t be a really big deal.

I really wish you hadn’t started me thinking about how incredibly easy that would be. Maybe 15 minutes to do it in PHP, a bit longer to do something amusing like taking my names, emails, and text from blogs randomly selected from weblogs.com/changes.xml.

Hmmm. This server is being a little fishy…I was just about to post my entry when it gave me DNS errors for around 5 minutes.

But anyway, here’s what I was about to post:

I really do need to implement some protection systems within the script to prevent double posting, posting huge posts, and or making multiple posts within a minute.

The HTML/javascript could work and PHP would definitely work for writing an automated comment poster/flooder and probably the only real way to make sure that one user doesn’t abuse the service would be to limit the number of posts per minute/hour/day by unique IP. Unfortunately, all these things do result in a performance hit to the server and so implementing protection has to be done carefully.

Just FYI–I have in the past created a Visual Basic application that used socket programming to make automated posts to a Forum. This kind of thing is unfortunately too easy to do.

P.S. Pls move the ”Forget me” button somewhere below the Post button. I keep hitting that instead of the post button. :-0

Although anything you do has some performance implications, you should be able to get away with a whole lot more when a comment is submitted than at any other time, just because it happens so rarely. It would be interesting to know numbers for a more typical blog, but the dotcomments installation that does comments for my Blogger FAQs got 612 requests for the comment count, 82 requests for comment threads, and zero comments submitted yesterday. Probably most people’s numbers aren’t that extreme, but still: optimize the hell out of the comment counts, and you can get away with a lot more anywhere else in your code.

Good point about people actually posting comments being relatively rare. Most of our traffic comes from the comment counting, then the actual loading of pages. I just installed a meatier traffic analyzer program (about 5 mins ago) so I can’t provide you with numbers yet but your number ratios seem pretty similar to my own site’s from what it’s got so far.

Comments API

Looks like there is a proposal for a comments API out there. I think this would be cool. There is room for abuse with such a system, but that’s true