search

google / recaptcha

PHP client library for reCAPTCHA, a free service to protect your website from spam and abuse.
http://www.google.com/recaptcha/
BSD 3-Clause "New" or "Revised" License
3.47k stars 770 forks source link

Spammers getting trough #406

Open razzerar opened 3 years ago

razzerar commented 3 years ago

Since last week something happened and the ReCaptacha and i re downloaded the ZIP from here and uploaded the new files. I have he following code in my registration form but still spammers are getting trough since this happened.

Anyone got any solution?

reCAPTCHA PHP client library Version: 1.2.4

    //reCAPTCHA validation
    if (isset($_POST['g-recaptcha-response'])) {

        require('component/recaptcha/src/autoload.php');        

        $recaptcha = new \ReCaptcha\ReCaptcha(SECRET_KEY, new \ReCaptcha\RequestMethod\SocketPost());

        $resp = $recaptcha->verify($_POST['g-recaptcha-response'], $_SERVER['REMOTE_ADDR']);

          if (!$resp->isSuccess()) {
                setError(t("invalid_captcha", "Captcha confirmation is invalid."));         
          } 
    }
beaurepair commented 3 years ago

That looks like you're only validating the response if it exists.

We've found lots of spammers will simply delete the g-recaptcha-response form fields before submitting the forms, hoping for validation like yours. You need to validate when you expect the response should be in the form, not just when you find it.