How to securely use reCaptcha with jQuery and PHP - php

I am writing a user signup form that will use reCaptcha on a jQuery html web page with a PHP backend. When a successful challenge is entered I am not sure how to submit the information to the PHP backend in such a way that it can't be bypassed. The website is running over HTTPS.
I currently check to see if the captcha is correct via using $.ajax(). This submits the recaptcha_challenge_field and recaptcha_response_fieldto a small PHP script
that calls recaptcha_check_answer() and returns success or failure.
Upon success, I can either submit the name, address, phone, etc. fields to another backend PHP script or use another jQuery $.ajax() call.
Either way, a spammer could examine the HTTP requests and submit the form data without using the jQuery front end & reCaptcha.
How can I use reCaptcha and (upon a successful match) submit form data in such a way that a spammer can not easily abuse the system?

I was making this too complicated. I ended up having the ajax call submit the captcha and all of the form data at the same time. If and only if the captcha is correct, then I proceed with the rest of the PHP script. Otherwise, I return an error through the same ajax call.
I added a hidden field via $(#my_input").hide() and check to see if a spammer filled it in. I check the http referrer and sanitize all user input.

Related

PHP Script that sends an Email when users press on SUBMIT button in the form

I have a submission form, and I wrote a PHP script to make form send an email with input data that the user inserts it in the fields of the form
Now I put the PHP code in the same file of HTML and CSS, I mean that the HTML, CSS and PHP in the same file
When I put the file in the CMS, that what happened to the page, you could see what happen from here: https://www.hochikiamerica.com/acd-landing-2
PHP Script and HTML code of the form
https://github.com/Mstava/FreelancerProject/blob/master/formScript.php
Now, I need to know where to put the PHP code in the HTML file to avoid this
and How to ensure that code is working and it sends the Email
When you click on submit your form action takes you to action_page.php That's where you should read your post variables and send the email. Take a look at this post I wrote several years ago blue host email
A common misconception is that additional PHP can be run upon the user doing something (i.e. clicking submit button). Not the case. When the page has been rendered, no further PHP on that page can be executed.
So, what to do?
You have two options:
(1) You can create a second page (action_page.php or some name), that is specified on the action= attribute of the form tag. That additional page will receive the data the user typed in, via PHP variables $_POST (if method="post") or via $_GET if method=get, and you can then use that data to send the contact form, and either display new data to the user or send the user back to the original page. Of course, you may need additional PHP to acknowledge the form has been sent, etc - and this additional code will need to handle both the case where the user is visiting the page for the first time, and when the contact form has been sent and the user is seeing the page for the second time.
(2) You can use AJAX (javascript/jQuery) to grab the form data, send it to a secondary PHP file, which will receive the data via the $_POST/$_GET variables, send the email, and return a response back to the first page.
These days, mostly we use the second method, because it is much more powerful. For one, the user remains on the same page. For another, there is no page refresh. For another, your javascript can do other things after the form has been sent.
AJAX is actually pretty simple - just do a google search for YouTube videos on creating a login system with PHP and AJAX. You should be able to find one of around 10 mins or less that explains all you need to know to send your contact form, and send feedback back to the calling page.
Here is a 5-minute YouTube tutorial that will show you the basics:
Install a simple PHP and Ajax login system

Need for PHP validation if a form only submits via JavaScript?

If I have a form, say a simple contact me form with inputs for name, email, message, etc. And I have the form set to submit using Ajax after the JavaScript validation has returned true on all inputs.
Do I still need to validate the inputs using PHP? If JavaScript is turned off, how could the form still submit? And if the form can't submit because the JavaScript is off, how could that cause any harm?
Of course you need server-side validation! :-)
It's always needed.
Just install this add-on: https://addons.mozilla.org/en-US/firefox/addon/tamper-data/.
It lets you freely modify what goes to the server.
Also, Firebug lets you modify what the browser sees, therefore submits to the server.
Here is an analogy: banks have locks on their safes. But they also have security cameras, and alarm systems, in case the locks fail to stop someone from stealing.
EDIT:
If you are using a contact form (and the script automatically email the person contacting), keep in mind that someone could make your script send 1000's of spam messages, simply by adding addresses to the email field.
To avoid this, you need to do server-side validation. You simply cannot rely on client-side validation.
It's best to do validation at server-side as end-user can do more than just turn on/off JavaScript.
As JavaScript is available at client-side, a malicious user can alter the client-side validation to make malicious inputs pass the client-side validation.
It's always better to trust inputs that are server-side validated than trusting users to not alter JavaScript behavior.
You should always use backend validation to sanitise the user input regardless of the presence of front end validation.
While you are correct that the form cannot be submitted with Javascript disabled it could still be submitted by a person with malicious intent by simply sending a POST request to the URL which you use.
I think it's better to have both validation types, every time: client-side (using JavaScript, so no Ajax call is made to the browser) and server-side (using PHP validations).
The form can still be submitted using the Firebug console or other kind of hacks.
A normal user can't do that but... still. If there's a chance it can be done, you shouldn't risk it.
Anyone can submit form to your URL with any data. Even from localhost
So server side validation is a must

using recaptcha with external form submit url

I'm trying to use recaptcha to prevent spam on my form that submits to a salesforce url.
The recaptcha instructions say to include the verification functionality in a my internal form-checking. Because the form is submitted to salesforce though, I'm not sure where this code should go...or how to work around submitting the form responses to salesforce if the captcha is entered correctly, and how to re-display the form if it isn't. help?
If you mean that the form's action takes the user to an external site upon submission, you either need to check the captcha with javascript/ajax, or create a man-in-the-middle page to handle validation and redirection (if everything is valid). Both will give you the ability to kick the user back to the form if something isn't right.
just save cookie to temp file, and resubmit form with curl and set cookies with previous temp file

Is it possible for user to submit a form if submit button is disabled? (Asking because of PHP validation)

When my form loads on the page, the submit button is disabled by default. Is it possible for a user to submit the form with this submit button disabled? (Either maliciously or by accident.)
I ask because I have the form information being validated by Javascript upon submit, but I of course am validating the information in my PHP script. That being said, do I need to really validate that information on the server side? The submit button becomes enabled via Javascript. So, if a user disables JS (thus getting by the JS validation), can they even submit the form? My guess is no, but I am looking for a firm answer.
If the answer is no, then I don't really need to do the PHP validation because the user CANNOT get by the JS validation, correct?
Thank you!
Yes, the person can "submit the form" even if it is disabled. He can submit it even if there is no form at all. He can simply send an HTTP request to the page that processes the form with the needed fields. It is highly discouraged to rely on JavaScript for validation.
A user can bypass a disabled submit button, and any client side restrictions for that matter. There is no such thing as client side security. To deal with hackers, you must always put your validation on the server side. Client side validation is just for appearances.
To be specific, they could bypass the disbaled submit button in the following ways:
Enabling it via a JavaScript console (e.g Firebug)
Enabling it via editing the DOM.
Just sending an HTTP request directly without using the form
Yes. There are a number of ways. If the form has a text field, it can be submitted using the return button (unless you actively prevent that using JavaScript). Also, any halfway clever user can use FireBug or some other tool to edit the source of your page on the fly and enable the submit button if they like.
You need to validate on the server side also. Just in case if javascript is off in the client side, or he tampers with the code using firebug and other similar tools.
Assume the user has complete control of the client side, and can read and write whatever he wants over the network using browser/scripts/command line apps/etc...
This means you must validate server side to be sure of sanitized response.

Trying to validate captcha with javascript before sending to php form validation

Hi I'm a relative newbie.
Have a mail contact form set up with a captcha image generator.
When the captcha is verified, on submitting the form, a php page is actioned which further validates the input data (checking against spam).
Challenge: would like to retain form data in case of error in enterred capthca code and needing to return to form.
If I use a sticky form with the form sticks okay but I cannot see how I then direct http to the php script for form data validation.
So I figure the answer is a javascript function to validate the captcha and stay within the same page where the form appears, ideally just having a pop up message (alert ...) if the enterred code is wrong, before sending the http to the php script page.
I have seen that this can be done but I cannot adapt the code to the captcha I use (i.e. webspamprotect.com) Could any body suggest a generic js function useable with any captcha ?
Would be most grateful for any input.
MANY THANKS
Steve
It doesn't make sense to be able to validate the CAPTCHA with javascript on the client. If you made it possible to validate with Javascript a scammer could use the validation function to test their guesses before they sent them to the server, so they would always be able to get the answer right.
You could implement an AJAX call requesting the server to validate the attempt instead of requiring a full page refresh, but the validation must still be done on the server.
When the captcha is generated the written word is usually stored inside the session or written into a hidden input field, so it can be validated against the user supplied word, when the form is submitted back to the PHP script.
You could pass the session variable holding this to your JavaScript (or read it from the hidden input if present) when rendering the page holding the form and captcha. Then, when the user clicks submit, intercept the call and check if the entered word matches the expected word.
As for retaining the values: just add the values to your HTML form value attribute. Make sure you escape the output in case users supply malicious code.
EDIT: agreeing with everyone who says you still have to validate the input on the server side as well. Client Side validation can easily be tinkered with and is nothing but a convenience feature for users, so they can fix their input before submitting.
simply check the value of "g-recaptcha-response"
if($('#g-recaptcha-response').val()==''){
alert('captcha not ticked');
}else{
alert('captcha ticked');
}

Categories