On Sun, 2 Oct 2005 13:09:05 +0200 Adrian Rossouw <adrian@bryght.com> wrote:
Something similar is in core already, and will be in Drupal 4.7. It currently cuts out over 99% of the spam I see on KernelTrap: http://drupal.org/node/28420
This has been integrated into the form api.
Cool! :)
To make any form require a token, you set $form[token] = $key;
Where key is something specific to the form .. in the case of comment : $form[token] = 'comment' . $edit['nid'] . $edit['pid'];
It's still fairly easy to download the page first and grep out the token to send back though, but it's extra work for the spammer.
Yes. The best solution I have come up with is to track token use, preventing token re-use. I had a nearly working patch a while ago (it tracked the last n-used tokens), but ran out of time. It had some issues telling previews and submits apart, as well as with handling followup edits. When it becomes necessary, I will surely dust it off again. Cheers, -Jeremy