using recaptcha with external form submit url - php

I'm trying to use recaptcha to prevent spam on my form that submits to a salesforce url.
The recaptcha instructions say to include the verification functionality in a my internal form-checking. Because the form is submitted to salesforce though, I'm not sure where this code should go...or how to work around submitting the form responses to salesforce if the captcha is entered correctly, and how to re-display the form if it isn't. help?

If you mean that the form's action takes the user to an external site upon submission, you either need to check the captcha with javascript/ajax, or create a man-in-the-middle page to handle validation and redirection (if everything is valid). Both will give you the ability to kick the user back to the form if something isn't right.

just save cookie to temp file, and resubmit form with curl and set cookies with previous temp file

Related

How to securely use reCaptcha with jQuery and PHP

I am writing a user signup form that will use reCaptcha on a jQuery html web page with a PHP backend. When a successful challenge is entered I am not sure how to submit the information to the PHP backend in such a way that it can't be bypassed. The website is running over HTTPS.
I currently check to see if the captcha is correct via using $.ajax(). This submits the recaptcha_challenge_field and recaptcha_response_fieldto a small PHP script
that calls recaptcha_check_answer() and returns success or failure.
Upon success, I can either submit the name, address, phone, etc. fields to another backend PHP script or use another jQuery $.ajax() call.
Either way, a spammer could examine the HTTP requests and submit the form data without using the jQuery front end & reCaptcha.
How can I use reCaptcha and (upon a successful match) submit form data in such a way that a spammer can not easily abuse the system?
I was making this too complicated. I ended up having the ajax call submit the captcha and all of the form data at the same time. If and only if the captcha is correct, then I proceed with the rest of the PHP script. Otherwise, I return an error through the same ajax call.
I added a hidden field via $(#my_input").hide() and check to see if a spammer filled it in. I check the http referrer and sanitize all user input.

How to send form errors back to the form via $_POST when redirected for processing

I have a form in contact.php with a considerable amount of inputs.
this form will be mailed using the php mail() function providing the captcha is correct and the input values follow the regex.
the action for the form is "mailer.php" and the method is post
on the mailer.php, validation is checked and captcha verification etc. But if the user enters the wrong captcha, they are redirected back to the form.
Where ALL the data they just entered is CLEARED!
I used to redirect with a query string and the$_GET array.
But I cant do that for this form as there is a lot of data including many textareas etc.
So how can I send this data back to the form on error?
You could store the user input information as $_SESSION variables. Dont forget to include session_start(); to initiate the session.
You should design the flow like :-
form (accepting a set of default values)
when user submit the form to mailer.php
necessary checking
if success, proceed to mail
complete then redirect to whatever place
if fail
require the form again
pass the $_POST as the default values
Basically, don't do redirect when fail (only upon success)

How to handle browser back button for dynamic content

I'm writing a PHP app which presents people with a form to fill out and submit.
Once the user submits the form, things change in the database and the form should become inaccessible to the user.
If, however, the user presses the back button after submitting the form, they can see it again. I have code in the back end to prevent a user from being able to re-submit an already submitted form, however ideally if the user presses the back button, they will get the same message as if they were to just navigate to it outright: A message is shown on the screen saying that this form has already been submitted and is now unavailable.
Aside from an AJAX call to the back-end to check if the form has already been submitted, and redirect the user to the "form submitted and now unavailable" message, is there any other (better?) way of handling this?
Since this will only be used internally on a SOE, I only need it to work on IE8+.
You can consider adding this information to session/cookie. Alternatively if you have authentication system, you can store this information in the database.
Probably the first option is easier and sufficient.
so basically before displaying the form you check if the cookie alreadySubmitted is 1. If yes - error message, otherwise - form. When you submit the form, just set this cookie to alreadySubmitted.
However be aware, that if someone deletes cookie, he will be able to trick your system.

PHP - set session variable on form submit

I have a form on my page, and I want to send the user to the 'private' part of the page when they've submitted the form.
I want to achieve this by using sessions, but I can't find out how to set a session variable when the form is submitted. This is because the form action is an external page, and when it has been submitted it gets sent back to the page where the form is. The problem is however that I cannot catch that with HTTP_REFERER because it's an https page.
So i have no idea how to do this. Anybody? Thx!
A couple ways I can think of doing this:
Send the form to a local page that sets the session variable and then fopen()'s the remote page. Here's a post describing how to send POST data with PHP streams.
Use AJAX and the onbeforesubmit JavaScript hook. Basically, when the user clicks submit, cancel the form submission, send your AJAX request to your own server, then when it returns, submit the form. Make sure to disable the form submit button when you do this, as it could take some time for the round trip to your server.

Trying to validate captcha with javascript before sending to php form validation

Hi I'm a relative newbie.
Have a mail contact form set up with a captcha image generator.
When the captcha is verified, on submitting the form, a php page is actioned which further validates the input data (checking against spam).
Challenge: would like to retain form data in case of error in enterred capthca code and needing to return to form.
If I use a sticky form with the form sticks okay but I cannot see how I then direct http to the php script for form data validation.
So I figure the answer is a javascript function to validate the captcha and stay within the same page where the form appears, ideally just having a pop up message (alert ...) if the enterred code is wrong, before sending the http to the php script page.
I have seen that this can be done but I cannot adapt the code to the captcha I use (i.e. webspamprotect.com) Could any body suggest a generic js function useable with any captcha ?
Would be most grateful for any input.
MANY THANKS
Steve
It doesn't make sense to be able to validate the CAPTCHA with javascript on the client. If you made it possible to validate with Javascript a scammer could use the validation function to test their guesses before they sent them to the server, so they would always be able to get the answer right.
You could implement an AJAX call requesting the server to validate the attempt instead of requiring a full page refresh, but the validation must still be done on the server.
When the captcha is generated the written word is usually stored inside the session or written into a hidden input field, so it can be validated against the user supplied word, when the form is submitted back to the PHP script.
You could pass the session variable holding this to your JavaScript (or read it from the hidden input if present) when rendering the page holding the form and captcha. Then, when the user clicks submit, intercept the call and check if the entered word matches the expected word.
As for retaining the values: just add the values to your HTML form value attribute. Make sure you escape the output in case users supply malicious code.
EDIT: agreeing with everyone who says you still have to validate the input on the server side as well. Client Side validation can easily be tinkered with and is nothing but a convenience feature for users, so they can fix their input before submitting.
simply check the value of "g-recaptcha-response"
if($('#g-recaptcha-response').val()==''){
alert('captcha not ticked');
}else{
alert('captcha ticked');
}

Categories