I was wondering if and what measures are built in the script to filter the comments. I have taken a quick look at the code, but couldn't find anymore then the validation check for valid email adresses etc. Everybody having had a comment enabled blog or other script knows what I'm talking about. All those spam messages.
So what experience have people had so far? And what are the planned developments in this area?
As a sidenote: I know it's still a beta, but still, can anyone say something about how secure the script is at the moment? In my opinion, these aspects are more important then adding new features. I hope I don't sound to offensive. Really from what I can see ZP is very well programmed. However, I have seen so many scripts for gallery's, guestbooks, blogs etc that have gaping security holes in them. Like relying on magic_quotes being on for example.
I just would like to hear some more about these aspects.
Thanks, and keep up the great work!
Comments
It would be realy great if the comment function somehow could be integrated with Wordpress' anti spam plugins. Would that be possible at all ?
http://lunaport.com/photos/mardi_gras/03.jpg
I've left it on this page only - there was lots more. So, what can I do? I didn't see anywhere to disable comments.
For now you could disable the form in the theme, but that's tedious and hacky. We'll have a real solution soon.
Looks to me like the script mistook the comments form for an email form - the content of the posts looks like attempted email injection (http://securephp.damonkohler.com/index.php/Email_Injection). Guess they just try every form they find.
but it is annoying and somehow scary as well
Maybe Akismet anti spam can be provided in the form of a plugin for zenphoto?
just add #comments {display:none} to the end of your template's css and they will not show
Any news on comments aproval moderation mail and comment spamming?
Keep up the good work!
/Petter
I also thought of a related feature. It would be great if users who were already logged into wordpress could post comments without having to enter their details a second time.
Many thanks!
Just search for humanauth online. They provide a distribution in php to get started, it might be cool to try and implement.
http://www.gigoit.org/humanauth/
More thoughts on it:
Probably taking photos from zenphoto in a random fashion would not be the best idea, as you'd have to "key" pictures to specific categories (or tags) which humanauth would then use for its algorithm. In other words, say you have 9 random pictures, three of them tagged as "cars". The system would then use the tags to identify the "cars" and then the user would have to click on the cars to pass the comment submit process.
Seems needlessly complicated the more I think about it. But it sounds cool....
Just wanted to reply to thinkdreams comment. Humanauth works by having the images in two separate folders. A "correct" and "incorrect" folder. The script looks at the file names in the folders and automatically creates everything for you. So there is no need to tag anything An image called "green_tree.jpg" will receive a title and alt tag with the text "Green Tree". The underscore becomes a space, the extension is removed and we even capitalize the first letter of each word so it looks nice.
All you really need to do is put whatever images you want in each folder. Currently we placed pictures of nature in the "correct" folder and request users to choose three pictures of nature. You can put whatever pictures you want in there and just update the challenge for your users. There is even a config file so you can make your own folder names and just update Humanauth to whatever you called it.
As long as there is a central theme to the correct images, users will be able to identify them based off the question you ask them. In our example, we just took a bunch of pictures of things found in nature and dropped them in a folder. That was our theme.
Humanauth already comes with these images and you can pretty much just drop it on your server and hook it into your site by using the code on our sample.php page included with Humanauth. Works with PHP4 & PHP5.
We are always available to answer questions too, if you need any help It really is pretty easy. Hope you will give it a try.
- Gigoit Staff
( http://beta.gigoit.org )
wow. i never expected a reply from the actual humanauth people on the zenphoto site. this is pretty cool. i just think it would be a nifty addition to a photo gallery to use the photo gallery images to "validate" a human commenter.
one thing i would like to know is how the best way to hook humanauth into the zenphoto comment architecture. In other words, would you place the humanauth code before the submit comment button on the comment form, or after the submit button is depressed, then it passes to humanauth?
we can take it offline more as well if you want, i am at craig (at) thinkdreams.com. seems like a better place than cluttering up tristan's nice zenphoto board with another off-topic discussion.
I do like the idea of using photos for authentication, it fits with the application's purpose very well.
However, I have always thought any kind of captcha to be an excessive measure. I believe bayesian filtering is pretty good, especially distributed systems like Akismet. One big downside of Akismet is that it requires a wordpress.com API key... not terribly uncommon for public API's, but still an extra hassle. We could alternatively use a PHP bayesian filter internally, but that's not very effective either with the low numbers of comments you get on a photo album... maybe captcha is ok... :-)
Really, we need plugins. Then we can make all kinds of sp*m filtering as needed.
I know this is naive, but sp*m for most of us is still very low. Zenphoto isn't yet widespread enough to attract much attention, but all that does is buy us time to get some protection.
captcha works ok as an alternative. i think humanauth is something a bit better since it does use photos. captcha can get annoying to people in some cases, and it definitely is a problem for ADA related issues. i truly cannot stand the random letter captchas.
so i'm glad to hear it's ok to discuss it here. thanks tris.
I really think we should be trying to encourage browsers of our galleries / photoblogs or portfolios to comment on our images and creating any sort of barrier to entry is not a good idea. Askimet is a non intrusive solution that works, it requires very little administration on the admin's part and I really think it should be utilised in Zenphoto.
@ Tris, I am really glad you are now seriously looking at the plugin facility again, I do appreciate you have been busy with other things. The plugin feature will take a lot of the heat off you and will undoubtedly increase the commercial credibility that Zenphoto deserves. Keep up the great work.
Other than being a bit of Wordpress fanatic, I have no association with Automattic or Wordpress! :-)
http://www.gregserveur.com/public/scripts/zenphoto_comment_protection.zip
OR
http://gregoryb.dyndns.org/public/scripts/zenphoto_comment_protection.zip
After much thought, a plugin using Akismet would be the better way to go. Been busy working on my wife's business website, so I haven't had much time to work on it myself, but a good starting point would be:
http://www.achingbrain.net/stuff/akismet/
It's a PHP5 based script for comments using Akismet, which can be plugged into virtually anything. However, without the plugin architecture for zenphoto, it would require much editing of core files, and would make upgrading difficult.
Let me know if you need an extra server to test with. I'd be glad to help.
Thanks, I think I got it. Almost done. But just for future reference, you use any kind of Instant Messenger?