Mass comment deletion

Jacob Redding — Mon, 13 Aug 2007 00:04:55 +0000

I recently upgraded to Drupal 5.2 from 4.7 and during the upgrade I made rather unfortunate mistake. I switched from using the captcha module on drupal.org to using the mycaptcha module on Heine's website. This wasn't the mistake though. My mistake was that although I had successfully switched over the modules I had misconfigured (i.e didn't turn on) the mycaptcha module. This left my website vulnerable to spambots although not entirely vulnerable because I do use the wonderful spam module in conjunction with mycaptcha.

In less than a week my site had over 1,000 spam messages that made it through the spam module (several thousand caught). Most of these comments didn't contain URLs and had some "comment" that consisted of gibberish; which is why they passed through the spam module. Fortunately for me the spambots hit my site a few time with high spam injections(300+) at each visit. Almost all of them came from a similar IP address. Since the comment module grabs the IP address or Hostname of the person leaving the comment I only had to write a few simple SQL queries to isolate all of the spam comments.

I then used the code below to wipe out hundreds of spam comments with each run.

$sql = "SELECT cid, subject, comment from comments WHERE subject LIKE '%s' AND hostname LIKE '%s' AND name LIKE '%s'"; 
$subject = "";
$hostname = "81.177%";
$name = 'Anonymous';
$results = db_query($sql, $subject, $hostname, $name);
print "Deleting ". db_num_rows($results) . " Comments 
";
while($result = db_fetch_array($results)){
$comment = _comment_load($result['cid']);
_comment_delete_thread($comment);
unset($comment);
}

When writing this little snippet I found it interesting that there is no public API call for deleting comments similar to node_delete(). The function comment_delete() exists but it only returns the form 'comment_confirm_delete'. Although I could have used drupal_execute() to properly fill in and execute the comment_confirm_delete form I found it a bit silly, especially since I knew the cid (comment ID) and I simply wanted to delete it. Heck I could've just did a "DELETE FROM comments WHERE cid = %d" and been done with it but that's not "clean".

So instead of grabbing the form, researching its elements and writing some quick FAPI code I opened up comment.module found the "private" function _comment_delete_thread(). It required a comment object so I also found the, again private, function _comment_load. They work similiar to node_load and node_delete so with these two functions I was on my way to being spam free again!

Now the question is why are _comment_delete_thread() and _comment_load() private?