[wp-hackers] Possible change to the WP core code?

Fahim Farook fahim at farook.org
Sun Sep 26 05:59:35 UTC 2004 

         This is a mail that I originally sent to Matt but somebody 
suggested that I post this to this list as well. So here goes :p I've done 
some work on the WPBlacklist plugin originally developed by LaugingLizard 
(Mark) and in going through the code again a few days ago to figure out 
something, I realized that there is a slight problem in the way that 
comment spam handling is implemented. In wp-comments-post.php, towards the 
end of the file you have the following code:

// If we've made it this far, let's post.
if(check_comment($author, $email, $url, $comment, $user_ip)) {
         $approved = 1;
} else {
         $approved = 0;
}
$wpdb->query("INSERT INTO $tablecomments
(comment_post_ID, comment_author, comment_author_email, comment_author_url, 
comment_author_IP, comment_date, comment_date_gmt, comment_content, 
comment_approved)
VALUES
('$comment_post_ID', '$author', '$email', '$url', '$user_ip', '$now', 
'$now_gmt', '$comment', '$approved')
");
$comment_ID = $wpdb->get_var('SELECT last_insert_id()');
if (!$approved) {
         wp_notify_moderator($comment_ID);
}
if ((get_settings('comments_notify')) && ($approved)) {
         wp_notify_postauthor($comment_ID, 'comment');
}
do_action('comment_post', $comment_ID);

         Now the problem with the above is the fact that most plugin 
developers would use the 'comment_post' action to hook their plugin to 
filter for spam (as I do too). However, if the user had comment 
notification on, they've already received a notification from WP saying 
that a comment was successfully posted on their site if the built-in spam 
filtering did not detect the comment as spam. In order to avoid the 
confusion, I would think it would be simpler to have the above code as follows:

// If we've made it this far, let's post.
if(check_comment($author, $email, $url, $comment, $user_ip)) {
         $approved = 1;
} else {
         $approved = 0;
}
$wpdb->query("INSERT INTO $tablecomments
(comment_post_ID, comment_author, comment_author_email, comment_author_url, 
comment_author_IP, comment_date, comment_date_gmt, comment_content, 
comment_approved)
VALUES
('$comment_post_ID', '$author', '$email', '$url', '$user_ip', '$now', 
'$now_gmt', '$comment', '$approved')
");
$comment_ID = $wpdb->get_var('SELECT last_insert_id()');
// call the post action
do_action('comment_post', $comment_ID);
// check comment status after actions
$stat = wp_get_comment_status($comment_ID);
if ($stat == "unapproved") {
         wp_notify_moderator($comment_ID);
} else if ($stat == "approved") {
         if ((get_settings('comments_notify')) && ($approved)) {
                 wp_notify_postauthor($comment_ID, 'comment');
         }
}

         Basically, move the do_action to just after the comment is added 
to the database and then check the comment status afterwards and send out 
the notifications based on the retrieved status. Now I have no idea if the 
above would create problems in other places but I've had these changes in 
my own WordPress installation for a few days and so far, have not had any 
problems at all. If the code changes can be implemented, then I (and 
probably a lot of other plugin developers) would be really happy since it 
would make our lives easier :p Regards,

Fahim

---
Freeware for the masses :p
http://www.farook.org
"That's right," he said. "We're philosophers. We think, therefore we am."
-- (Terry Pratchett, Small Gods)

More information about the hackers mailing list