PHP Captcha Scripts and Tutorial with Google reCAPTCHA
- PHP Captcha Scripts and Tutorials
- PHP Captcha Scripts and Tutorial with Arithmetic Question
- PHP Captcha Scripts and Tutorial with Text Copying
- PHP Captcha Scripts and Tutorial with Simple Question Answering
- PHP Captcha Scripts and Tutorial with reCAPTCHA
- PHP Captcha Scripts and Tutorial with Google reCAPTCHA
PHP Captcha Scripts and Tutorial with Arithmetic Question
PHP Captcha Scripts and Tutorial with Text Copying
PHP Captcha Scripts and Tutorial with Simple Question Answering
PHP Captcha Scripts and Tutorial with reCAPTCHA
PHP Captcha Scripts and Tutorial with Google reCAPTCHA
This page is a tutorial on "PHP Captcha Scripts and Tutorial with Google reCAPTCHA." Our overall method was to sign up with Google reCaptcha and use the materials and examples they provide. Both PHP Captcha Scripts and Tutorial with Arithmetic Question
and PHP Captcha Scripts and Tutorial with Text Copying use the PHP GD Library and a TrueType font and PHP to make captchas. But this Google script used to display the reCAPTCHA generated by Google reCAPTCHA needs no library since it doesn't even use a captcha, as you can see in the example above.
Using this reCaptcha method is the safest free way to do captchas, and it is starting to get popular as well as effective. But it's more fun to make your own captcha system, like the ones we supply. If you are prioritizing safety and popularity and effectiveness over fun, use the Google reCAPTCHA system.
A CAPTCHA is a program that can tell whether its user is a human or a computer, unless it gets fooled by a very smart bot. You've probably seen lots of captchas. They are colorful images with distorted text at the bottom of Web registration forms, logins, polls, etc. CAPTCHAs are used by many websites to prevent abuse from "bots," or automated programs usually written to read registration forms and then sign up like a human would. Bots' goals are mostly to generate spam. No computer program can read distorted text as well as humans can, so bots cannot navigate sites protected by CAPTCHAs. (Yet.) However, Google is trying to redefine CAPTCHAs by having a simple box to click in. this makes it easier on both the site visitors and the website programmers. Their method is easier to insert on a website form.
Interestingly, if hackers are trying to spam a site using a nasty bot, and they turn off JavaScript, it (the PHP form validation script) will fail to validate the form input as legitimate and tell the visitor to check the captcha box. If JavaScript IS turned on but the form is submitted without first checking the captcha box, the same thing will happen—Google really wants that box to be checked! And if Google finds your input suspicious, it will not only require checking the captcha box but also solving a graphic puzzle in which a bunch of little pictures in a grid are displayed and you're supposed to click on all the ones that are bread or are birthday cakes, or whatever. Didn't see that one coming, did ya?! Google boasts that their No-captcha reCAPTCHA is tough on bots but easy on humans. We've installed it on a couple of sites. So far, it works fine. How long before the hackers find a workaround or exploit for this reCAPTCHA system? Time will tell.
The rest of this page assumes you wish to use a reCAPTCHA captcha script. They can be used on anything captchas can be used on—even though this Google version is nothing but a square that turns into a circle and a statement that says "I'm not a robot." You're supposed to click in the box to state that you are a person and not a dreaded spambot.
When you sign up, you list the site you want their captcha on and the page description and they give you two keys—a site key and a secret key. Keep them secret! You're also given instructions and code:
In the html page with the form on it that needs a captcha, insert this before the ending </head> tag:
<script src='https://www.google.com/recaptcha/api.js'></script>
And insert this before the ending </form> tag:
<div class="g-recaptcha" data-sitekey="yoursitecaptchakey"></div>
Don't forget to replace our "yoursitecaptchakey" and 'yoursecretcaptchakey' with the keys Google gives you. For the PHP form handler page that validates (or doesn't) the form input, here's what we did for one of the sites we worked on:
<?php
$captcha=$_POST['g-recaptcha-response'];
if(!$captcha){exit("Please check the captcha form. Press Back button.");}
$response=file_get_contents("https://www.google.com/recaptcha/api/siteverify?secret='yoursecretcaptchakey'&response=".$captcha."&remoteip=".$_SERVER['REMOTE_ADDR']);
if($response.success==false)
{exit("Fill fields, please. Press Back button.");}
function cleanit($T){
global $T;
$pattern1 = '/[^a-zA-Z0-9\\s\\.\\,\\!\\-\\_\\?\\:\\/\\=\\&]/i';
$T=preg_replace($pattern1, '', $T);}
$agree=$_POST['agree'];
if ($agree != "agree") {$agree="no!";echo '<script language="javascript">alert("You must agree with MODEL/ACTRESS AND VIDEOGRAPHER RELEASE AND ASSIGNMENT for your submission to be taken seriously.");window.location = "index.html#input";</script>';exit();}
$Name=$_POST['Name'];$T=$Name;cleanit($T);$Name=$T;
if (strlen($Name)<5){
echo '<script language="javascript">alert("Please enter your full real name. It will be kept private.");window.location = "index.html#input";</script>';exit();}
$fakename=$_POST['fakename'];$T=$fakename;cleanit($T);$fakename=$T;
$email = htmlspecialchars($_POST['email'], ENT_QUOTES);
if (!preg_match("/([\w\-]+\@[\w\-]+\.[\w\-]+)/",$email)) {echo '<script language="javascript">alert("Please enter valid email address.");window.location = "index.html#input";</script>';exit();}
$whereclips=$_POST['whereclips'];
$findclips=$_POST['findclips'];$T=$findclips;cleanit($T);$findclips=$T;
if (strlen($findclips)<4){echo '<script language="javascript">alert("We need a URL, the word MAIL, or something else useful here.");window.location = "index.html#input";</script>';exit();}
if ($agree == "agree") {
$to = "contest@poems.info";
$subject="Poems site contact re: video clips";
$message = "Agree?: ".$agree." on ".date("l dS \of F Y h:i:s A")."\n\nName: ".$Name."\n\nEmail: ".$email."\n\nFakename: ".$fakename."\n\nWhere?: ".$whereclips."\n\nFind em here: ".$findclips;
$headers = "From: contest@poems.info\r\nReply-To: contest@poems.info";
if(mail($to, $subject, $message, $headers)){echo '<script language="javascript">alert("Checking your info. If your submission seems OK, we will get back to you.");window.location = "index.html";</script>';exit();}
else{echo "<center><font face='Verdana' size='2' color=red>There is some system problem in sending us your info. <br><br><input type='button' value='Retry' onClick='history.go(-1)'></center></font>";}
}
?>
Note that in validating the captcha response script, we did not use JavaScript—just in case the visitor (or spambot?) has JavaScript turned off. That way the response "Please check the captcha form. Press Back Button." will be seen whether or not JavaScript is turned off. All other form input checker scripts above use JavaScript to deliver the response and then they are followed by the PHP exit() function to make sure the script goes no further (which it can due to fact that JavaScript is browser based and client side while PHP is server only).
It is okay to use JavaScript for these later scripts since the visitor with scripting turned off cannot possibly get past the initial captcha response checking script anyway. Besides, these scripts use the window.location function to return to the HTML page, which is more convenient than the "Press Back Button" message that PHP exiting uses here (using the PHP exit() function). Why not use some of the other PHP methods for going back a page?
We wouldn't use the set $_SERVER referrer as that can be manipulated and thus not trusted. And we didn't want the hassle of using sessions. Sessions are NOT a good way of returning to the last page. If the user has two tabs open at the same time, the session variable will be overwritten by either tab. We also wanted to avoid the unreliability and vulnerability of using the header("Location: index.php") function. And the $_SERVER['HTTP_REFERER'] is unreliable and it's a pretty bad idea overall as the header can be hijacked. And storing the previous page in a query string may start opening up XSS holes. So let the visitor hit the back button which is both secure and easy.
Note that Google's captcha requires JavaScript and it won't be visible on the form without it, but the visitor will be dumped out of the script above once it is determined the captcha has not been checked, so the visitor has been invalidated for having scripting off—as he should be.