How to make a comments system with PHP and JS

So let’s say I have a form in a .html file. Its action attribute is a php file, and once the form is submitted, it will send a request to that php file. How does that work? Aren’t .html files completely client sided, and .php files can only be accessed by the server? How do I do what the form does, but solely with javascript? I read about AJAX and JS Fetch but don’t understand any of it.

So apparently, .php files cannot be accessed by javascript, but they can be accessed by html forms?
I’m really confused about this tutorial. PHP: Dealing with Forms - Manual

You are correct when stating the .html is client-side and .php is server side.

When you submit a form on an HTML page, your browsers loads the PHP file, which then processes the form input.

For example, if this was my index.html

<form action="form.php" method="post">
  <input type="text" name="name" placeholder="Enter Your Name">
  <input type="submit" value="Submit">

Then when the form is submitted, the information is POSTed to form.php.

An example of form.php is below:


  $name = htmlentities($_POST['name'];
  echo "Hello ".$name;
} else{
  echo "You did not submit the form";

How do I post to PHP but with only JS?
So for example I have a regular input element and a regular button that activates a JS function. How do I send a request with custom defined parameters to a php file, which will then send a few parameters back to the client?

You can use <input type=“hidden”>

The PHP file will generate HTML that is shown to the client. (Like the “echo” statement).

I recommend that you learn a bit more about PHP first.


Will it work if the page is an html file? How and where will the php code run then?

Again, I recommend that you learn a bit more about PHP and HTTP requests here.

It does not matter what type of file the web form is on. When the form is submitted, the user is redirected to the file in the action attribute.

The action attribute needs to point to a PHP file in order for the data to be read, and then for something to be done with it. (I suppose an HTML/JS file will work as well if you use the GET method).


Okay, so now I’m trying to make a barebones comment system inside a PHP page where all the server and client sided code will be inside that page.
My idea is that every time a user loads up the page, a JS script will update a list element inside a page using an array variable set by a PHP echo.
So for example

//receive whatever the JS posted 
function $GET_COMMENTS(){
//5 second ip cooldown
if (!$IP_COOLDOWNS[$_POST.ipAddress]){
$IP_COOLDOWNS[$_POST.ipAddress]=(async delay(5)=>{self.remove})
//get 25 comments each time
echo JSONEncode(Limit(JSONDecode($_GETFILE("/comments.json")),25))
//5 second ip cooldown
if (!$IP_COOLDOWNS[$_POST.ipAddress]){
$IP_COOLDOWNS[$_POST.ipAddress]=(async delay(5)=>{self.remove})
//post new comment to comments.json
$COMMENTS = JSONDecode("/comments.json")
$COMMENTS[$COMMENTS.length] = tostring($COMMENT)
<button onclick="loadcomments()">REFRESH COMMENTS</button>
<button onclick="postcomment()">POST COMMENT</button>
//Yes I know the php and js syntax is incorrect, this is just an idea

//initial code

function loadcomments(){
var comments = <?php $GET_COMMENTS()/?>
for (i = 0;comments.length,i++){
var comment = document.createElement("td",document.querySelector(".l")[0])
function postcomment(){
//use AJAX or whatever to post whatever is in the input to its own file like $.POST("/")

Basically this file will hold the serversided comment loading/posting logic and the page with JS itself. I don’t want to make a separate comments.php file as that will increase hit amounts. Every IP has a 5 second cooldown to prevent DDOS attacks, and the comments themselves will be an array inside a JSON file.

So, as you are more experienced with PHP and JS than me, how do you turn this code concept into a real thing?

1 Like

While that approach is possible, you can do this without JavaScript. Just get the posts from the database and use the PHP while() function.

While that may prevent spam, that’s not going to prevent DDoS attacks. And if you may the wait period with JavaScript and don’t verify it with PHP, a user can easily remove it with the inspect panel that all popular desktop browser have.

1 Like

Did you read the concept code I wrote? The IP cooldown logic is handled inside PHP code. I made it without understanding much about PHP. You will/may have noticed that the IP cooldowns are basically a table of keys that remove themself after 5 seconds. I don’t know if this is plausible though, as I don’t even know how variables are handled/stored in PHP. If I can make a variable like that, then what’s stopping me from storing all my website’s data inside PHP variables?

1 Like

Um, it looks like you just embedded JS and tried to pass it off as PHP. You can’t use JavaScript inside a PHP function.

And the PHP file only runs when the file is loaded. So it’s impossible to implement a 5 second hold period using just one PHP file. (Theoretically you may be able to use sleep() or something, but that makes it 10x more complicated, and sleep() is not allowed here anyways).

The fact that PHP only runs on page load probably will.


I think you need to learn a bit more about how PHP works before trying to do this. You are making a lot of these steps way more complicated then they need to by.


Okay, well now that I know PHP only runs on page load (The PHP documentation and W3schools never mentioned this, at least not that I saw), can I still store the PHP functions inside the same file that has HTML and JS and stuff? The JS, when using AJAX or something else to request PHP, will request its own file path (“/”). The revised idea is that the IP addresses will also be temporarily stored inside some JSON file or SQL database.

Here are my questions:

  1. I have never used SQL before, and I don’t know how to implement removal timers for JSON and SQL keys/values. I want to pick the one that uses the least hits/bandwidth, so for example I don’t know if these methods,
    A) Having a JSON table that consists of a key, a string that contains the IP and the value, an integer that contains the UNIX timestamp, and the keys don’t automatically remove themselves but they are only added/reset each time the PHP script checks that value and sees that is has been more than 5 seconds into the past, and also the JSON table will reset itself every day as long as the PHP script checks it
    B) Having an SQL database that is built like the former but each row will have some function (I’m guessing this is possible?) that will remove itself in 5 seconds
    — use less or more bandwidth.
  2. Still though, can’t users DDOS my site by making tons of requests to my PHP script, regardless if their IP is under cooldown inside the JSON file/SQL database or not? Like for example say IP (1.23.45) posts a comment, then their IP gets stored inside a cooldown storage, but every time they request the PHP file, it still counts as a client-to-server interaction, so won’t that count as a “hit”? Is there nothing I can do to stop that?
  3. Please answer 1. and 2. first, as this is a less important query. Why is, and what do you mean by sleep() not being allowed here? Is sleep() not allowed in PHP, in InfinityFree? Why?
  4. Can I store all the PHP logic inside the same .php file that also serves as the page? Just like my concept code above, like so:
    PHP LOGIC (Will handle all the serversided comments logic, everything wrapped in functions so it’s not something that will run everytime the php file is loaded by a browser)
    JS (Will frequently AJAX or something else request itself, ie. “/”)
1 Like
  1. Don’t do it that way, again, you are making it much to complicated. Instead, do this:
  • When a user submits a post, log the current time time() in the database.
  • When the user submits a post, check the last post entry time, and see if 5 seconds have passed since then. If 5 seconds have passed, post the post. Otherwise, throw an error.
  1. Exactly. If the file is loaded, that’s a hit. Does not matter what action(s) the file takes.

  2. sleep() is not allowed on InfinityFree because it slows the servers down. You don’t really need it anyways, and there are (almost) always a better way to do something

  3. You don’t need to wrap everything in functions unless you want to. The speed difference will not be noticeable (And PHP is not loaded by the browser, its loaded by the server). Also, I don’t really recommend you use AJAX, since every AJAX request is also a hit.


Okay, so what I’m understanding here is you want me to make an SQL database that functions as a log for the last time() someone posted. If it has not been 5 seconds, it will throw an error.

  1. In order to even see if the last time() someone posted has been 5 seconds, a PHP script will need to access that database. Won’t that count as a hit every time, regardless of if it even actually has been 5 seconds? Thus, won’t someone just be able to DDOS it?
  2. Even if it doesn’t count as a hit every time a PHP script access that database, can’t someone just repeatedly spam the post/request comments button making it so that nobody else can comment, because of the cooldown?
  3. What is the difference between using a JSON file versus an SQL database to store cooldown times and the comments themselves? You never really answered that question.

So, what do I do? If every JS to PHP request counts as a hit, and cooldowns are utterly useless, then does that mean there is not a single thing I can do to prevent DDOS attacks on my website? Won’t this make InfinityFree incredibly insecure for anyone who wishes to host a website that includes client to server interactions?

So, should I put all the PHP logic, HTML elements, and JS code all in one file, or not? Is there no difference between me putting all the logic inside functions, inside one centralised location, or me putting each particular function inside several PHP files? I was only bringing up AJAX as an example, since it’s the only thing everyone said to use when I was searching up how to use JS to communicate with PHP. How do I use JS to communicate with PHP without using AJAX, preferably a method that doesn’t count as a hit every time it is used?

1 Like

Correct and correct

You will need to associate the cooldown with a specific user. Users do need an account to post, right?

Easier to code and faster for the code to run. Plus, there is a 10MB limit on file (JSON), but not a set limit that you will realistically run into (MySQL)

Well the cooldown will help prevent spam

With a free subdomain? No. with a custom domain? Yes:

Even if you just host a static single-site page, you are still vulnerable to DDoS attacks. the fact that the site is multi-page, dynamic, etc does not increase/reduce your risk of getting attacked.

Up to you.

JS can’t communicate with PHP without creating a hit. JS is on the client-side, and it does not run until AFTER the PHP code does.


Just accept the reality of the internet?

This is not just a problem with InfinityFree, it’s a problem for anything that’s connected to the internet. Even on providers where you don’t have a hits limit, it’s possible to hammer the site and make it hit the limits for CPU, memory and process usage. Even if you have your own (virtual) server, or even a room full of servers, there is a finite amount of server power and network capacity to handle traffic. If you hit a site with enough traffic, it will go down. There are no exceptions. Even huge companies like Google or Facebook are not exempt from this (although it is very hard to generate enough traffic to take them down).

InfinityFree is free hosting so the limits are quite low, which means it’s relatively easy to flood it with enough traffic to take the site down. If you don’t want that to happen, you need more server power, and you will need to pay for that.


This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.