如何验证谷歌Recaptcha V3响应?
如何验证谷歌Recaptcha V3响应?
提问于 2018-05-18 15:26:19
如何在客户端和服务器端( reCAPTCHA )集成谷歌php版本3。下面的代码用来显示recaptcha,但它工作得不好。如何进行这种集成。
<html>
<head>
<script src='https://www.google.com/recaptcha/api.js?render=XXXX-XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'></script>
</head>
<body>
<script>
grecaptcha.ready(function() {
grecaptcha.execute('XXXX-XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX', {
action: 'action_name'
});
});
</script>
<form action="verify.php" method="post">
<input type="text" name="name" placeholder="Your name" required>
<input type="email" name="email" placeholder="Your email address" required>
<textarea name="message" placeholder="Type your message here...." required></textarea>
<input type="submit" name="submit" value="SUBMIT">
</form>
</body>
</html>
Verify.php
<?php
if(isset($_POST['g-recaptcha-response']) && !empty($_POST['g-recaptcha-response'])) {
//your site secret key
$secret = 'XXXX-XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX';
//get verify response data
$verifyResponse = file_get_contents('https://www.google.com/recaptcha/api/siteverify?secret='.$secret.'&response='.$_POST['g-recaptcha-response']);
$responseData = json_decode($verifyResponse);
if($responseData->success):
print_r("Working Fine"); exit;
else:
print_r("No valid Key"); exit;
endif;
} else {
print_r("Not Working Captcha"); exit;
}
?>回答 5
Stack Overflow用户
发布于 2019-07-25 20:53:30
使用纯JavaScript和PHP通过Google reCAPTCHA v3验证的联系人表单的一个简单示例
跳到底部的代码。
相关reCAPTCHA文档等:
集成创建密钥:https://www.google.com/recaptcha/admin/create
- Frontend
(如果谷歌在听,我们喜欢你的作品,如果能有更多精致的例子链接到上面的页面,那就太好了。)
概述:
- 从谷歌获取密钥
- 在html
- 劫持表单的头部加载recaptcha/api.js使用JavaScript提交表单,然后从Google
- Submit表单获取令牌并将令牌发送到您的服务器
- 从您的网站后端向谷歌发出请求以验证表单的响应,并根据需要进行
<代码>G224
需要注意的重要一点: 'success‘响应参数仅指示验证码是否已成功评估,它不指示提交是否可能是垃圾邮件。
'score‘参数是您需要知道的结果。分数越高(0到1之间的数字),提交的文章就越有可能是真的,这取决于你接受什么阈值(例如0.5)。
详细说明:
将以下行添加到HTML头,以加载recaptcha api.js代码:
<script src="https://www.google.com/recaptcha/api.js?render=$reCAPTCHA_site_key"></script>(其中$reCAPTCHA_site_key是您的公共“站点密钥”,我已将其保存在“config.php”文件中。)
您需要向您的服务器提交一个令牌(从Google收到,每次表单提交都是唯一的)。我认为最简单的方法就是将它和其他表单数据一起通过POST发送。为此,我在表单中包含了一个隐藏字段,如下所示:
<form id="contactForm" method="post" action="contact">
<!-- other form inputs -->
<input type="hidden" id="gRecaptchaResponse" name="gRecaptchaResponse">
<input type="submit" name="contact_submit" value="Send message">
</form>(注意:"contact“是contact.php,但我已经用.htaccess”重写“了url )
现在我们需要劫持默认表单提交来生成令牌。我们可以在页面加载时生成令牌,但由于令牌的有效期只有两分钟(如果我没看错https://developers.google.com/recaptcha/docs/verify页面),我认为最好是在需要将其发送到站点的服务器时获取它。
为此,我在form结束标记后面添加了以下内容:
<script>
contactForm.addEventListener('submit', event => {
event.preventDefault()
validate(contactForm)
});
</script>我将validate(form)函数放在结束主体标记之前:
function validate(form) {
//perform optional error checking on form. If no errors then request a token and put it into the hidden field
getRecaptchaToken(form)
}
//some other (optional) form validation functions
function getRecaptchaToken(form) {
grecaptcha.ready(function() {
grecaptcha.execute($reCAPTCHA_site_key, {action: 'contactForm'}).then(function(token) {
gRecaptchaResponse.value = token //set the value of the hidden field
form.submit() //submit the form
});
});
}备注:
$reCAPTCHA_site_key是您的公共站点Keyaction: 'contactForm'在Google reCAPTCHA仪表板中标识此特定表单的提交,并在后端确认它是预期的,这是建议的额外安全步骤
在主PHP文件中,当收到表单提交时:
//get the IP address of the origin of the submission
$ip = $_SERVER['REMOTE_ADDR'];
//construct the url to send your private Secret Key, token and (optionally) IP address of the form submitter to Google to get a spam rating for the submission (I've saved '$reCAPTCHA_secret_key' in config.php)
$url = 'https://www.google.com/recaptcha/api/siteverify?secret=' . urlencode($reCAPTCHA_secret_key) . '&response=' . urlencode($g_recaptcha_response) . '&remoteip=' . urlencode($ip);
//save the response, e.g. print_r($response) prints { "success": true, "challenge_ts": "2019-07-24T11:19:07Z", "hostname": "your-website-domain.co.uk", "score": 0.9, "action": "contactForm" }
$response = file_get_contents($url);
//decode the response, e.g. print_r($responseKeys) prints Array ( [success] => 1 [challenge_ts] => 2019-07-24T11:19:07Z [hostname] => your-website-domain.co.uk [score] => 0.9 [action] => contactForm )
$responseKeys = json_decode($response, true);
//check if the test was done OK, if the action name is correct and if the score is above your chosen threshold (again, I've saved '$g_recaptcha_allowable_score' in config.php)
if ($responseKeys["success"] && $responseKeys["action"] == 'contactForm') {
if ($responseKeys["score"] >= $g_recaptcha_allowable_score) {
//send email with contact form submission data to site owner/ submit to database/ etc
//redirect to confirmation page or whatever you need to do
} elseif ($responseKeys["score"] < $g_recaptcha_allowable_score) {
//failed spam test. Offer the visitor the option to try again or use an alternative method of contact.
}
} elseif($responseKeys["error-codes"]) { //optional
//handle errors. See notes below for possible error codes
//personally I'm probably going to handle errors in much the same way by sending myself a the error code for debugging and offering the visitor the option to try again or use an alternative method of contact
} else {
//unkown screw up. Again, offer the visitor the option to try again or use an alternative method of contact.
}备注:
- 这是将在来自谷歌的响应中的数据(作为JSON对象返回):
{
"success": true|false, // whether this request was a valid reCAPTCHA token for your site
"score": number // the score for this request (0.0 - 1.0)
"action": string // the action name for this request (important to verify)
"challenge_ts": timestamp, // timestamp of the challenge load (ISO format yyyy-MM-dd'T'HH:mm:ssZZ)
"hostname": string, // the hostname of the site where the reCAPTCHA was solved
"error-codes": [...] // optional
}
以下是可能的错误代码:
- missing-input-secret:
- 参数为missing.
- invalid-input-secret:,secret参数无效或malformed.
- missing-input-response:,response参数为missing.
- invalid-input-response:,response参数无效,malformed.
- bad-request:,请求无效,malformed.
- timeout-or-duplicate:,响应不再有效;或者太旧,或者已被使用previously.
把所有这些放在一起:
contact.php
<?php //contact.php
require_once('config.php');
//do server-side validation of other form fields
if (/*form has been submitted and has passed server-side validation of the other form fields*/) {
$ip = $_SERVER['REMOTE_ADDR'];
$url = 'https://www.google.com/recaptcha/api/siteverify?secret=' . urlencode($reCAPTCHA_secret_key) . '&response=' . urlencode($g_recaptcha_response) . '&remoteip=' . urlencode($ip);
$response = file_get_contents($url);
$responseKeys = json_decode($response, true);
if ($responseKeys["success"] && $responseKeys["action"] == 'contactForm') {
if ($responseKeys["score"] >= $g_recaptcha_allowable_score) {
//send email with contact form submission data to site owner/ submit to database/ etc
//redirect to confirmation page or whatever you need to do
} elseif ($responseKeys["score"] < $g_recaptcha_allowable_score) {
//failed spam test. Offer the visitor the option to try again or use an alternative method of contact.
}
} elseif($responseKeys["error-codes"]) { //optional
//handle errors. See notes below for possible error codes
//(I handle errors by sending myself an email with the error code for debugging and offering the visitor the option to try again or use an alternative method of contact)
} else {
//unkown screw up. Again, offer the visitor the option to try again or use an alternative method of contact.
}
exit;
} else { //(re)display the page with the form
echo <<<_END
<!DOCTYPE html>
<html lang="en">
<head>
<title>Contact | Your website</title>
<link rel="stylesheet" href="css/style.css">
<script src="https://www.google.com/recaptcha/api.js?render=$reCAPTCHA_site_key"></script>
</head>
<body>
<!-- header etc -->
<form id="contactForm" method="post" action="contact">
//other form inputs
<input type="hidden" id="gRecaptchaResponse" name="gRecaptchaResponse">
<input type="submit" name="contact_submit" value="Send message">
</form>
<script>
contactForm.addEventListener('submit', event => {
event.preventDefault()
validate(contactForm)
});
</script>
<!-- footer etc -->
<script>
function validate(form) {
//perform optional client-side error checking of the form. If no errors are found then request a token and put it into the hidden field. Finally submit the form.
getRecaptchaToken(form)
}
//some (optional) form field validation functions
function getRecaptchaToken(form) {
grecaptcha.ready(function() {
grecaptcha.execute($reCAPTCHA_site_key, {action: 'contactForm'}).then(function(token) {
gRecaptchaResponse.value = token
form.submit()
});
});
}
</script>
</body>
</html>
_END;config.php
<?php //config.php
//other site settings
// Google reCAPTCHA v3 keys
// For reducing spam contact form submissions
// Site key (public)
$reCAPTCHA_site_key = 'N0t-a-real-0N3_JHbnbUJ-BLAHBLAH_Blahblah';
// Secret key
$reCAPTCHA_secret_key = 'N0t-a-real-0N3_i77tyYGH7Ty6UfG-blah';
// Min score returned from reCAPTCHA to allow form submission
$g_recaptcha_allowable_score = 0.5; //Number between 0 and 1. You choose this. Setting a number closer to 0 will let through more spam, closer to 1 and you may start to block valid submissions.Stack Overflow用户
发布于 2018-06-08 04:34:10
<html>
<head>
<script src='https://www.google.com/recaptcha/api.js?render=6Le7-FkUAAAAADDSsTVBvpoUB5MkesNKgPVemFf-UD'></script>
</head>
<body>
<script>
// when form is submit
$('form').submit(function() {
// we stoped it
event.preventDefault();
// needs for recaptacha ready
grecaptcha.ready(function() {
// do request for recaptcha token
// response is promise with passed token
grecaptcha.execute('6Le7-FkUAAAAADDSsTVBvpoUB5MkesNKgPVemFf-UD', {action: 'create_comment'}).then(function(token) {
// add token to form
$('form').prepend('<input type="hidden" name="token" value="' + token + '">');
$('form').prepend('<input type="hidden" name="action" value="create_comment">');
// submit form now
$('form').unbind('submit').submit();
});;
});
});
</script>
<form action="verify.php" method="post">
<input type="text" name="name" placeholder="Your name" required >
<input type="email" name="email" placeholder="Your email address" required>
<textarea name="message" placeholder="Type your message here...." required></textarea>
<input type="submit" name="submit" value="SUBMIT">
</form>
</body>
</html>php
$token = $_POST['token'];
$secret = 'ur secret';
$action = $_POST['action'];
// now you need do a POST requst to google recaptcha server.
// url: https://www.google.com/recaptcha/api/siteverify.
// with data secret:$secret and response:$token 此时,您需要向ReCAPTCHA发出post请求来验证令牌,如下所示:https://www.google.com/recaptcha/api/siteverify。响应将是一个json对象,字段为"success“(true/false),"action”用于比较(==)和score (数字从0.0到1.0)
https://developers.google.com/recaptcha/docs/v3#api-response。
您还可以为每个请求指定操作名称(create_post、update_post、create_comment ...)
Stack Overflow用户
发布于 2018-11-19 13:28:27
尝尝这个。
<script>
grecaptcha.ready(function() {
grecaptcha.execute('YOUR_SITE_KEY', {action: 'MyForm'})
.then(function(token) {
console.log(token)
document.getElementById('g-recaptcha-response').value = token;
});
});
</script>
<form action="verify.php" method="post">
<input type="hidden" id="g-recaptcha-response" name="g-recaptcha-response">
<input type="text" name="name" placeholder="Your name" required >
<input type="email" name="email" placeholder="Your email address" required>
<input type="submit" name="submit" value="SUBMIT" >
</form>页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/50405977
复制相关文章
相似问题