reCaptcha on my form has a bug

Hey Folks,

I’ve put off adding a captcha on my contact form until now that spam has become overwhelming.

It’s just about there except for one bug I"m hoping you’ll help me with.

I’m using the following in my form’s .php file:

$captcha = isset($_POST['g-recaptcha-response']) ? $_POST['g-recaptcha-response'] : null;
 
if(!is_null($captcha)){
	$res = json_decode(file_get_contents("https://www.google.com/recaptcha/api/siteverify?secret=MY-SECRET_KEY-HERE&response=".$captcha."&remoteip=".$_SERVER['REMOTE_ADDR']));
	if($res->success === true){

	}
	else{
		echo 'Forgot the captcha!!!';
	}
}

This goes at the very top of the file and all else is in the nested if.

Everything seems to be working fine except when the captcha is properly done but there are errors in the form’s input. In that case the user must go back and correct the errors. However, the captcha does not refresh and when the form is resubmitted there’s a captcha error.

Hope this make sense and you can point out my error/s.

How exactly is that accomplished? Your form and form processing code should be on the same page. If there are validation errors, you should re-display the form, generating a new recaptcha, and re-populating the user form fields with existing values so that the user doesn’t need to keep reentering data over and over.

1 Like

There’s a message instructing the user to go back.

Having the form and form processing code on the same page may be a good way to go, but that’s not what I’ve done. I understand that generating a new recaptcha would be ideal. It’s not happening. That’s why I’m here.

It might help if I tell you that the following is before the closing “head” tag:

<script src='https://www.google.com/recaptcha/api.js'></script>

And the recaptcha is inserted in the form just before the send button:

<div class="g-recaptcha" data-sitekey="MY-SITE_KEY-HERE"></div>

OK, I think I worked it out.

I’ve moved the captcha code to the end of my form’s .php file and included only the following in the nested if:

$captcha = isset($_POST['g-recaptcha-response']) ? $_POST['g-recaptcha-response'] : null;
 
if(!is_null($captcha)){
	$res = json_decode(file_get_contents("https://www.google.com/recaptcha/api/siteverify?secret=MY-SECRET-KEY&response=".$captcha."&remoteip=".$_SERVER['REMOTE_ADDR']));
	
	if($res->success === true){
     
    // create email headers
 
    $headers = 'From: '.$email_from."\r\n".
 
    'Reply-To: '.$email_from."\r\n" .
 
    'X-Mailer: PHP/' . phpversion();
 
    @mail($email_to, $email_subject, $email_message, $headers);

    echo 'We are so happy to hear from you!  Please expect our prompt response.';
	}
  
    else{
	    
		echo 'Failed to check off captcha!!!  Please go back and try again.';
    }
}

Seems to be working OK. EXCEPT that the two output messages in that chunk of code are WAY tiny on mobile, thought they seem OK on my laptop. Other messages not in that chunk work fine. Any idea why this my be happening?

Just as an aside, I dont like Captcha, Re- Captcha or other user input to confirm they are not a robot. I have abstained from joining a number of sites after tring to identify all the bicycles in 3 different screen displays, differentiate a bridge from scaffolding, is that a chimney ?

If you are designing your own form then there are many more intuitive ways of identifying spambots, these techniques can also help avoid real people that are just annoying but know what a set of steps looks like.

Just my opinion.

Care to expand on that, @kerry14 ?

Of course :grinning:

I use hidden fields and form completion timer which actually appears to be preventing 100% of all automatic spambot mail I was receiving.

I know there are a lot of spam messages being blocked because my form sends a spam notification to spam email account. This means my regular inbox is not bloated but I can still analyze the spam. I am also not notifying the spammer in any way that his attempt has failed (why alert them!)

I am now adding adding my own personalised database of strings that commonly appear in human emails that I receive from time to time, that are not really spam, but that do not interest me as well as domains / email addresses that I just want to black list completely.

1 Like

Hey Guys,

Thanks for sharing. As I looked around for a solution to my problem I did find reference to honeypots and they do seem like a good alternative solution to bot spam.

For now, recaptcha is working. Literally overnight the bot spam has stopped.

Now I need to figure out why some of the output from my .php file is unreadably small. Any suggestions?

I’ll be looking into flushing the stream and see where that leads.