[drupal-devel] [bug] comment preview "Required" is easily bypassed

Gerhard Killesreiter killesreiter at physik.uni-freiburg.de
Mon Aug 8 04:50:17 UTC 2005

On Sun, 7 Aug 2005, Jeremy Andrews wrote:

> my filter. I finally realized what the spammer is doing is
> setting $_POST['op'] to 'Post comment', effectively bypassing
> the preview phase.


> I have the feeling I'm missing a simpler, cleaner solution.
> Suggestions?

I think that the form code rewrite that I've proposed and that Adrian
is/was working on should take care of this. It would check whether a
field "op" could have been present in the original form.

The problem that we in this case have a dynamic form. I think that
checking of a session variable would help. This would break
posting for clients which do not accept our cookie. Which maybe would be
quite welcome in this case. ;^)

Since you probably do not wait for Drupal 4.7 you should thus try to put
the unique preview ID into the session.


More information about the drupal-devel mailing list