Peter's Blog

Redefining the Impossible

Drupal Comment Captcha mod

Drupal Comment Captcha mod

Submitted by Peter on Tue Dec 21 2004 20:24 over 3 years ago

Update 30/9/2005: I no longer use the Captcha. I use this and it works very nicely.

I was tired of the daily chore of deleting comment spam from my approval queue. I would consider using the spam module only I wanted a solution with no administration overhead, not even training a bayesian filter.

I've modified the comment module from Drupal version 4.5.1 to include Captcha support: the user is shown a graphic containing some letters and they have to type them in. Until our comment spamming friend adds some OCR to his spamming script I should be safe.

My modification is based on the existing Drupal Captcha module and I have been in contact with arnabdotorg, the author of this module, for approval to publish my work. I have not made any alterations to the captcha module but I have copied some of the code and it is necessary to install it in order to set up the administrative options which are also used by my modified comment module.

I have put my modified version of the comment module here. This is only a temporary fix: the author of the Captcha module says he will be working on a proper implementation of comment captchas.

Notes:

  • My modification requires anonymous users submitting comments to enter a captcha to prove they are not a spambot.
  • Users with accounts should not be asked for a captcha
  • The captcha is not checked when previewing the comment
  • One captcha is assigned per session so the user does not have to keep typing in different captcha letters (I am not sure if this is a security hole, if the captcha is guessed correctly once you will be bombarded with comment spam. However, it makes life a little easier for the users). The captcha will change if a cron session happens to wipe out the captcha files while the session is open.
  • I am not a Drupal guru and I have not considered issues like caching, whether stored session is secure etc. Hey, this is open source, peer review can help put me right.
  • The module generates a watchdog warning to mark captcha failures
  • Since this has been in place on my site (for three days) I have been seeing captcha failures regularly (4 pagefulls of warnings so far).
  • The module is running on my site (http://www.petersblog.org) so you can either break it or drop me some friendly comments.
  • I am getting as many comments now as I was getting before so real users are getting through.

Now all I need is a way to keep my referrer logs clean...

Filed under: captcha drupal

chris Says:

Wed Dec 22 2004 05:10 over 3 years ago

I have not encountered comment spam yet, but when I do, this will be very useful. :) I hope it is integrated into captcha module soon.

Jonathan Furness Says:

Wed Dec 22 2004 09:37 over 3 years ago

Hi Peter,

I'm having a torrid time with SPAM on my blog, and have so for the past 2 weeks now. In fact as i type, I notice two more SPAM comments....

I have installed the SPAM module, but can't seem to get this to work... I've installed your comments.module as I see this as the only real way to stop SPAM dead in it's tracks. However, I cannot get your module to show the Captcha letters on the comment form. Do I just need to put your comment.module in my modules folder?

I added the Captcha module too, in case your code relied on captcha being installed. arrghh!

Any help would be appreciated... also... a suggestion... could you make the captcha graphic show only three letters... make it even easier for the visitors. How might I change that?

Peter Says:

Wed Dec 22 2004 14:13 over 3 years ago

My modified comment module does rely on the Captcha module being installed and it's configuration options being set up. These options are simply the location of the directory where the temporary Captcha graphic files should be stored. I have both entries set to './tmp' and I have a directory off my site root directory called /tmp which is readable by the outside world. They can be changed to some other directory such as ./files if you already have one set up.

Regarding the number of characters in the Captcha, if you look at line 1743 of comment.module it looks like this: 

for ($x=0; $x < 6; $x++) {

If you change the 6 to something else then you can control how many characters are in the captcha.

If you have any more problems, you might want to search around the Drupal site for similar problems in the original Captcha module as I took a lot of the code from there (with the authors approval).

Peter

grohk@code0range.net Says:

Wed Dec 22 2004 14:29 over 3 years ago

Thanks for the new functionality! I have watching the forum comments and been hoping someone would provide this for Drupal...I am so sick of the Spam comments.

I did notice a mispelling in the modification:

"hastle" should be "hassle"

Any way you could add this to the captcha module as a patch file in an optional folder? Or hell, I wish Dries would let it into Core.

Peter Says:

Wed Dec 22 2004 16:20 over 3 years ago

I'm surprised nobody has done this already, it was begging to be done and it only took me a couple of hours (maybe that shows).

I have spoken to the author of the Captcha module about using his code. He is thinking about doing a proper version of this change: I regard this hack as a temporary solution. I don't understand the comment module's hooks well enough to create a seamless module to add this functionality myself.

Looking at Drupal forum this morning, there are other places a Captcha check could be used...

As for hassle, I must have been spelling it wrong for years. Oh, and anyway is one word.

Peter

grohk@code0range.net Says:

Wed Dec 22 2004 18:35 over 3 years ago

Nonsense. Your patch is very much needed right now. I suppose it will not be applied to Core since it depends on the captcha module, but maybe the functionality could be worked into Core somehow.

Could you make a diff of this patch against the 4.5 comment module and post it as a feature request? Perhaps that would prompt more discussion on the topic.

Also, I only meant to point out the spelling mistake because it is in a sentence that is presented to the anonymous commenter...I have no doubt it your ability to spell :)

Hannes Schmidt Says:

Mon Jan 03 2005 01:49 over 3 years ago

Nice work, Peter! One little note: The captcha is only visible if "Anonymous posters may leave their contact information" or " Anonymous posters must leave their contact information" option is selected on the comments configuration page (administer - comments - configure). I don't know if this is intentional but I think it's worth mentioning.

Peter Says:

Mon Jan 03 2005 12:18 over 3 years ago

It was not intentional, I haven't really tested it with these different settings. The comment module is quite complex and I don't find it that easy to read.

Peter

Anonymous Says:

Thu Jan 20 2005 12:48 over 3 years ago

I tried to download the module, but the host www.bisiand.me.uk doesn't seems to exist in DNS anymore. Is there an alternate download location?

Anonymous Says:

Thu Jan 20 2005 20:50 over 3 years ago

Sure, I've been having registrar problems, this site is now http://petersblog.org and the module can be found here.

Peter

Peter Says:

Wed Mar 02 2005 09:21 over 3 years ago

I became fed up with using this. I'd be logged in as administrator and I'd type in a comment, it would not ask me for a captcha. I'd submit it and then it would moan about me having not entered the captcha. There is something screwy about the way drupal is handling sessions or doing page loads, something deep.

I've done a simpler captcha mod: this one just asks the user to enter the word "Peter" in a box. It always asks the question, whether I am logged in or not, it just doesn't do the check if I am logged in.

This should be sufficiently straghtforward and unless comment spammers are targetting me specifically it should do the job. If you are going to use it, please change the magic word.

It is here

Peter

Anonymous Says:

Sat May 28 2005 00:34 over 3 years ago

Hmm. What do blind users do to leave comments? Do you have an audio captcha?

Peter Says:

Sat May 28 2005 20:34 over 3 years ago

They haven't complained.

Peter

Anonymous Says:

Sun Dec 04 2005 22:37 over 2 years ago

test

Peter Says:

Mon Dec 05 2005 08:58 over 2 years ago

Have to wonder whether the test passed or failed.

Peter

Anonymous Says:

Wed Feb 08 2006 09:02 over 2 years ago

It don't work :&

Peter Says:

Wed Feb 08 2006 09:04 over 2 years ago

I bet the tech support guys love you.

You cannot beat a total lack of detail to make bug hunting a real challenge.

Peter

Bjorn Says:

Wed Feb 13 2008 09:33 9 months ago

It can help!

Comments are Closed