I am using Captcha but there are still attacks by robots

-1

In the form submit I am using the default Capctha validation (Google version 2) for email firing, but for some reason the bot attacks still pass by, filling my inbox.

I check it as follows:

require_once('api_recaptcha.php');
$response = null;
$reCaptcha = new ReCaptcha(*** minha chave ***);
if ($_POST["g-recaptcha-response"]) {
    $response = $reCaptcha->verifyResponse($_POST["g-recaptcha-response"], $_SERVER['REMOTE_ADDR']);
}
if($response == null){
    $erros_form[] = "Marque o captcha (Não sou um robô)";
}

if(is_array($erros_form)){
    echo "<script>window.alert('".$erros_form[0]."');</script>";
}else{
    // aqui o código de disparo do e-mail, onde não deve cair quando não for marcado o Captcha
}

Do you have any other way to do this? Or am I doing something wrong? Thanks in advance.

    
asked by anonymous 03.01.2017 / 13:30

1 answer

1

I do not know what class you're using for this, so I'll recreate this using CURL, although there are other ways to do this.

I created a very simple function to do the service, without using official or existing libraries.

function isCaptchaValid(string $ChaveSecreta, $ClienteCaptcha, $ClienteIP) : bool {

    $ClienteCaptcha = filter_var($ClienteCaptcha, FILTER_DEFAULT);
    $ClienteIP = filter_var($ClienteIP, FILTER_VALIDATE_IP);

    if($ClienteCaptcha && $ClienteIP){

        $valoresPost = [
            'secret' => $ChaveSecreta,
            'response' => $ClienteCaptcha,
            'remoteip' => $ClienteIP
        ];

        $ch = curl_init('https://www.google.com/recaptcha/api/siteverify');

        curl_setopt_array($ch, [
            CURLOPT_POST => 1,
            CURLOPT_POSTFIELDS => $valoresPost,
            CURLOPT_RETURNTRANSFER => 1,
            CURLOPT_SSL_VERIFYHOST => 2,
            CURLOPT_SSL_VERIFYPEER => 1,
            CURLOPT_FAILONERROR => 1
        ]);

        $resposta = json_decode(curl_exec($ch), true);
        curl_close($ch);

        if(isset($resposta['success'])){

            return $resposta['success'];

        }

    }

    return false;

}

In this way you just have to do, in HTML:

<form action="SuaPagina.php" method="post">
    <div class="g-recaptcha" data-sitekey="SuaChavePublica"></div>
    <input type="submit">
</form>

<script src='https://www.google.com/recaptcha/api.js'></script>

While in PHP:

if(isset($_POST['g-recaptcha-response'])) {

    //...

    if(isCaptchaValid('SuaChavePrivada', $_POST['g-recaptcha-response'], $_SERVER['REMOTE_ADDR'])){

        echo 'Você preencheu o captcha corretamente :D';
        exit;

     }

}

echo 'Você errou o captcha! :(';

Remember if you are using CloudFlare, Sucuri, Incapsula (...) you should not use REMOTE_ADDR !

  

I tried to leave the function as simple as possible, logically could do all the processing creating other functions ...

    
10.03.2017 / 21:20