Adding CAPTCHA-validation to stop comment spam

I want to add reCaptcha to my zenphoto installation.

Looking through the code in class-image.php revealed that `addComment($name, $email, $website, $comment)` is responsible for validating the comment form input. Thus, this is where I want to add some CAPTCHA controlls.

Problem is, I'm not certain how the form data (POST) gets sent to `addComment`. How do I get
`$_SERVER["REMOTE_ADDR"],

$_POST["recaptcha_challenge_field"],

$_POST["recaptcha_response_field"]);`
to `addComment`?

Comments

  • It seems zp_handle_comment() in functions_controller.php is what I'm looking for.

    I'll report back in a while.
  • Got it working. I'll post the code when I've cleaned it up a bit.
  • Here's my edits. Note that this will not remember what's in the comment textbox if the visitor fail their captcha - they'll have to start over again.

    My next post has the code needed to keep the text intact.

    image.php:
    `



    Leave a Reply



    <?php<br />
    require_once('recaptchalib.php');

    $publickey = "Get a key from http://recaptcha.net/api/getkey";

    ?>

    `
    [snip]
    `



    <?php echo recaptcha_get_html($publickey); ?>



    `

    functions-controller.php:
    `

    if (in_context(ZP_IMAGE) && isset($_POST['name']) && isset($_POST['email']) && isset($_POST['comment'])) {

    if (isset($_POST['website'])) $website = strip_tags($_POST['website']); else $website = "";

    require_once("/path/to/wherever/you/put/recaptchalib.php");

    $privatekey = "Get a key from http://recaptcha.net/api/getkey";

    $resp = recaptcha_check_answer ($privatekey,

    $_SERVER["REMOTE_ADDR"],

    $_POST["recaptcha_challenge_field"],

    $_POST["recaptcha_response_field"]);

    if ($resp->is_valid)

    {

    $commentadded = $_zp_current_image->addComment(strip_tags($_POST['name']), strip_tags($_POST['email']),

    $website, kses($_POST['comment'], zp_conf('allowed_tags')));

    }

    `
  • NOTE: I am not a web developer. I'm frightingly unaware of safe practices and standards. What I'll show you now might quite possibly feed bad data to your server, prompting the return of SATAN and a premature end of mankind. However, it does seem to work pretty well for me.

    If you've got more knowledge that I do, please inform us all. If you just got more sense than I do, stay away. :)

    Here goes:

    In functions-controller.php, this is what happens if the user fail their submission (bad captcha or no name/email/comment):
    `

    $stored = array($_POST['name'], $_POST['email'], $website, $_POST['comment'], false);

    if (isset($_POST['remember'])) $stored[3] = true;

    $error = true;

    `

    Specifically note `if (isset($_POST['remember'])) $stored[3] = true;`. This line confuses the hell out of me. It overwrites the `$_POST['comment']` (comment text) that we just inserted the line before, with a "1". I can't find where this hardcoded value is read again, so I'd rather not mess with it. If you know - please inform me.

    Now, here's my ugly workaround:
    `

    $stored = array($_POST['name'], $_POST['email'], $website, $_POST['comment'], false);

    $stored[5] = $_POST['comment'];

    if (isset($_POST['remember'])) $stored[3] = true;

    $error = true;

    `

    Simply added a sixth field and keeping the comment text safe in there. To get this back out into the comment form, heres what you need to add in image.php:

    `<?=$stored[5];?>`
Sign In or Register to comment.