Add Captcha on the form and verify Google Recaptcha in PHP
To add recaptcha on your site, setup the keys from Google Recaptcha Admin. Once the keys are setup, you need to copy the site key into the form, and use the secret on the server to verify the recaptcha response.
Add the Recaptcha script on the page.
<script src='https://www.google.com/recaptcha/api.js'></script>
Keep the site key generate in the previous step as follows.
<div class="g-recaptcha" data-callback="recaptchaCheck" data-sitekey="6LXXXcUiXXXXXXXXXXXXXXXXXXXXXXX9cJIXX">
Here is the complete HTML form.
<form action="./contact.php" method="POST">
<div class="row">
<div class="col-md-6">
<div class="form-group">
<label>Email Address *</label>
<input name="email" type="email" placeholder="you@yoursite.com" class="form-control" required>
</div>
</div>
<div class="col">
<div class="g-recaptcha" data-callback="recaptchaCheck" data-sitekey="6Lf6VcUiAAAAANQgyqhUe_dtlGNLITAV6W9cJIub">
</div>
<br>
<input name="submit" type="submit" class="form-control" value="Submit" />
</div>
</div>
</form>
You will recieve the captcha response from the user as g-recaptcha-response
parameter in your form submit post request.
We need to send this field in the site verification API. Here are the 3 fields that need to be sent.
To get the client IP address in PHP, we are going to rely on HTTP_CLIENT_IP
and HTTP_X_FORWARED_FOR
request headers. Both these request headers are useful in fetching the client ip. Do not blindly trust the data being sent in these headers, use the filter var to confirm if its an IP address.
//contact.php
$ip = null;
if (!empty($_SERVER['HTTP_CLIENT_IP'])) {
$ip = $_SERVER['HTTP_CLIENT_IP'];
} elseif (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {
$ip = $_SERVER['HTTP_X_FORWARDED_FOR'];
} else {
$ip = $_SERVER['REMOTE_ADDR'];
}
//check for valid ip
$ip = filter_var($ip, FILTER_VALIDATE_IP);
Use PHP curl to send the HTTP POST request to Google recaptcha site verify api.
$postData = array(
"response" => $_POST["g-recaptcha-response"],
"secret" => "6LXXXXXXXXXXXXXXXXXXXPtsLTXXXX",
"remoteip" => $ip
);
$ch = curl_init('https://www.google.com/recaptcha/api/siteverify');
curl_setopt_array($ch, array(
CURLOPT_POST => TRUE,
CURLOPT_RETURNTRANSFER => TRUE,
CURLOPT_HTTPHEADER => array(
'Content-Type: application/x-www-form-urlencoded'
),
CURLOPT_POSTFIELDS => http_build_query($postData)
));
// Send the request
$response = json_decode(curl_exec($ch));
// var_dump($response);
if($response->success){
// successfully save the details in the database
}else{
echo "Invalid Captcha";
}
Once you setup the captcha on the site, you can see the verifications in the admin page of Google Recaptcha.