How to Validate Google Recaptcha V3 on Server Side

How to validate Google reCAPTCHA v3 on server side?

this is solution

index.html

<html>
  <head>
    <title>Google recapcha demo - Codeforgeek</title>
    <script src='https://www.google.com/recaptcha/api.js'></script>
  </head>
  <body>
    <h1>Google reCAPTHA Demo</h1>
    <form id="comment_form" action="form.php" method="post">
      <input type="email" placeholder="Type your email" size="40"><br><br>
      <textarea name="comment" rows="8" cols="39"></textarea><br><br>
      <input type="submit" name="submit" value="Post comment"><br><br>
      <div class="g-recaptcha" data-sitekey="=== Your site key ==="></div>
    </form>
  </body>
</html>

verify.php

<?php
    $email; $comment; $captcha;

    if(isset($_POST['email']))
        $email=$_POST['email'];
    if(isset($_POST['comment']))
        $comment=$_POST['comment'];
    if(isset($_POST['g-recaptcha-response']))
        $captcha=$_POST['g-recaptcha-response'];

    if(!$captcha){
        echo '<h2>Please check the the captcha form.</h2>';
        exit;
    }

    $response = json_decode(file_get_contents("https://www.google.com/recaptcha/api/siteverify?secret=YOUR SECRET KEY&response=".$captcha."&remoteip=".$_SERVER['REMOTE_ADDR']), true);
    if($response['success'] == false)
    {
        echo '<h2>You are spammer ! Get the @$%K out</h2>';
    }
    else
    {
        echo '<h2>Thanks for posting comment.</h2>';
    }
?>

http://codeforgeek.com/2014/12/google-recaptcha-tutorial/

Can i implement Recaptcha V3 without verifying token?

Of course You have to verify it in the background.

Make the request to verify the response token as with reCAPTCHA
v2 or Invisible reCAPTCHA.

How would you expect to do check if captcha was filled properly other way? By simple response to your script from javascript api? It would take 5 seconds to bypass that. Captcha is made to protect you from bots, not from browser users.

Let's imagine, that you are verifying the catcha response on client side (with javascript). You are getting some "true" from some function, that the captcha was correctly filled. And what then? Based on this you redirect user to one url instead of another? Or what would be your idea to make the captcha work as any protection? If you would do that, everyone could just go directly to the url, bypassing it. Or are you going to implement some session, server side protection. If so, why not to use the one that is already implemented in reCatcha? There is no way to make a script that would protect you from bots or spam without server side verification.

Google reCAPTCHA: How to get user response and validate in the server side?

The cool thing about the new Google Recaptcha is that the validation is now completely encapsulated in the widget. That means, that the widget will take care of asking questions, validating responses all the way till it determines that a user is actually a human, only then you get a g-recaptcha-response value.

But that does not keep your site safe from HTTP client request forgery.

Anyone with HTTP POST knowledge could put random data inside of the g-recaptcha-response form field, and fool your site to make it think that this field was provided by the google widget. So you have to validate this token.

In human speech, it would be like,

  • Your Server: Hey Google, there's a dude that tells me that he's not a robot. He says that you already verified that he's a human, and he told me to give you this token as proof of that.
  • Google: Hmm... let me check this token... yes I remember this dude I gave him this token... yeah he's made of flesh and bone let him through.
  • Your Server: Hey Google, there's another dude that tells me that he's a human. He also gave me a token.
  • Google: Hmm... it's the same token you gave me last time... I'm pretty sure this guy is trying to fool you. Tell him to get off your site.

Validating the response is really easy. Just make a GET request to

https://www.google.com/recaptcha/api/siteverify?secret=your_secret&response=response_string&remoteip=user_ip_address

And replace the response_string with the value that you earlier got by the g-recaptcha-response field.

You will get a JSON Response with a success field.

More information here:
https://developers.google.com/recaptcha/docs/verify

Edit: It's actually a POST, as per documentation here.

How to validate Google Recaptcha from server(Java) side?

Your best option is to verify it using javascript before submitting your form.

function checkCaptcha() {
  if (!grecaptcha.getResponse()) {
    alert("You need to prove that you're not a robot");
  } else {
    document.getElementById('yourFormId').submit();
  }
}

And in your <form> change the <button> type to button and call checkCaptcha() on click.

<button type='button' onclick='checkCaptcha()'>Login</button>

Because by default type is submit, which will cause the form to submit on press.

If you want to validate reCaptcha from server side take a look at the following post of mine.

  • How to validate reCAPTCHA V2 Java (Servlet)

Google Recaptcha v3 example demo

Simple code to implement ReCaptcha v3

The basic JS code

<script src="https://www.google.com/recaptcha/api.js?render=your reCAPTCHA site key here"></script>
<script>
    grecaptcha.ready(function() {
    // do request for recaptcha token
    // response is promise with passed token
        grecaptcha.execute('your reCAPTCHA site key here', {action:'validate_captcha'})
                  .then(function(token) {
            // add token value to form
            document.getElementById('g-recaptcha-response').value = token;
        });
    });
</script>

The basic HTML code

<form id="form_id" method="post" action="your_action.php">
    <input type="hidden" id="g-recaptcha-response" name="g-recaptcha-response">
    <input type="hidden" name="action" value="validate_captcha">
    .... your fields
</form>

The basic PHP code

if (isset($_POST['g-recaptcha-response'])) {
    $captcha = $_POST['g-recaptcha-response'];
} else {
    $captcha = false;
}

if (!$captcha) {
    //Do something with error
} else {
    $secret   = 'Your secret key here';
    $response = file_get_contents(
        "https://www.google.com/recaptcha/api/siteverify?secret=" . $secret . "&response=" . $captcha . "&remoteip=" . $_SERVER['REMOTE_ADDR']
    );
    // use json_decode to extract json response
    $response = json_decode($response);

    if ($response->success === false) {
        //Do something with error
    }
}

//... The Captcha is valid you can continue with the rest of your code
//... Add code to filter access using $response . score
if ($response->success==true && $response->score <= 0.5) {
    //Do something to denied access
}

You have to filter access using the value of $response.score. It can takes values from 0.0 to 1.0, where 1.0 means the best user interaction with your site and 0.0 the worst interaction (like a bot). You can see some examples of use in ReCaptcha documentation.


Related Topics

Fatal Error: Cannot Use Object of Type MySQLi_Result

A Formula to Find Prime Numbers in a Loop

Import CSV File Directly into MySQL

PHP: How to Get Referrer Url

Codeigniter: "The Filetype You Are Attempting to Upload Is Not Allowed."

PHP Is Confused When Adding and Concatenating

MySQLi_Stmt::Bind_Param(): Number of Elements in Type Definition String Doesn't Match Number of Bind Variables

How to Fix the Permission Error When I Call Session_Start()

How to Access Dynamic Variable Names in Twig

MySQLi_Fetch_Array While Loop Columns

Generating Cryptographically Secure Tokens

Utility of Http Header "Content-Type: Application/Force-Download" For Mobile

How to Re-Index the Values of an Array in PHP

How to Know Which 'PHP.Ini' File Is Used

PHPmailer - Ssl3_Get_Server_Certificate:Certificate Verify Failed

Visual Studio Code PHP Intelephense Keep Showing Not Necessary Error

Generating Facebook Open Graph Meta Tags Dynamically

PHP Date Validation


Leave a reply



Submit