How To Implement Google reCAPTCHA v2 in PHP

  • 1.2K views
  • 5 minute read
Total
1
Shares
1
0
0
Share
1 people shared the story
1
0
0
0
  1. Go to https://www.google.com/recaptcha/admin/create to create your site key and secret key
  2. Add your site key to your form
  3. Check for google reCAPTCHA response on the form processing page using your secret key.

In this tutorial i will show you how to implement google reCAPTCHA in PHP and how to avoid some time wasting mistakes.

Register Your Site And Obtain Your Site Key And Secret Key

Go to https://www.google.com/recaptcha/admin/create and follow the steps to create your site key and secret key.

  • For label: yourdomainname will be fine, e.g mydomainname.net
  • For reCAPTCHA type: choose reCAPTCHA v2 and the choose “I’m not a robot” Checkbox
  • For Domains: simply type localhost if you are testing on your local machine or your actual domain working on your web server. You can add both localhost and your domain name at the same time, just click on the + sign to achieve this.
  • For Owners: If you are already logged into your google account, you will see your email address here, if not just go ahead and type your email address.
  • Click on Accept the reCAPTCHA Terms of Service check box.
  • Send alerts to owners is checked by default
  • Click SUBMIT button to submit and obtain your site key and secret key.

Once you submit, you come the page where you copy your site key and secret key. See image below,

Click on COPY SITE KEY and COPY SECRET KEY to copy them to a save place for use later on in this tutorial.

Add Google reCAPTCHA Site Key To Your Form

This is the only code that you have to add to your HTML form,

<div class="g-recaptcha" data-sitekey="Your_site_key"></div>

You have to place this code at the position where you want the google reCAPTCHA to display in your HTML form. I placed mine after the ‘Accept Our Terms’ form field and this is how it displays to users.

Google reCAPTCHA PHP Code Implementation

Verifying The User’s Response

This is what you have to look out for in your server side implementation of google reCAPTCHA v2,

$_POST['g-recaptcha-response']

You take that PHP POST super global variable and your secret key and send it to the below url for verification.

https://www.google.com/recaptcha/api/siteverify

So the way most people do this in their code implementation is shown below

if(empty($_POST['g-recaptcha-response'])){//capcha not submitted  
   //inform user to click on captcha on next trial
   //stop code execution here
}else{//capcha submitted
   $private_key = 'Put_Your_Secret_Key_Here';
   $capcha_query = file_get_contents('https://www.google.com/recaptcha/api/siteverify?secret=' . $private_key . '&response=' . $_POST['g-recaptcha-response']);
   $capcha_response = json_decode($capcha_query);
   if($capcha_response->success == false){
      //reCAPCHA verification failed
      //ask user to try again
   }
}

Google reCAPTCHA Returns No Response

So i find that the way we have implemented the verification of the user’s response for google reCAPTCHA v2 above works fine when testing it on your localhost but may always return an empty response on an actual web server depending of some variables; this kept me for some days trying to figure things out.

Okay so first of all in case you don’t understand what i mean by google reCAPTCHA returns no response or empty response always, this is what i mean; after you execute this line of code:

$capcha_query = file_get_contents('https://www.google.com/recaptcha/api/siteverify?secret=' . $private_key . '&response=' . $_POST['g-recaptcha-response']);

you expect to get a response on this line of code:

$capcha_response = json_decode($capcha_query);

From this link https://developers.google.com/recaptcha/docs/verify you find that google says that the response you expect to get back from them is this JSON object:

{
  "success": true|false,
  "challenge_ts": timestamp,  // timestamp of the challenge load (ISO format yyyy-MM-dd'T'HH:mm:ssZZ)
  "hostname": string,         // the hostname of the site where the reCAPTCHA was solved
  "error-codes": [...]        // optional
}

Of course we decode this JSON object back to a PHP array with the line of code

$capcha_response = json_decode($capcha_query);

and then expect that our array variable: 

$capcha_response

when referenced this way

$capcha_response->success

will either return a true or false so that we know what step to take next. So if it returns true, we accept the captcha validation else we ask the user to try again.

So i find that everything works as expected on the localhost but does not return true, neither does it return false at least on my own web server and kept me for days trying to figure things out.

One of the places to quickly check if you run into this problem on your web server of course is to check whether your ‘allow_url_fopen’ under PHP configuration is enabled. In my case even after enabling it, the problem was not solved and i don’t have control over that server to really trouble shoot to understand what more might be wrong seeing that it is a shared hosting.

Using CURL Solves The Problem

If you don’t yet know what curl is you can look here https://en.wikipedia.org/wiki/CURL for understanding.

To solve the above problem, use the below code for verifying the user’s response instead

if(empty($_POST['g-recaptcha-response'])){//capcha not submitted
   //inform user to click on captcha on next trial
   //stop code execution here
}else{//capcha submitted
   $private_key = 'Put_Your_Secret_Key_Here';
   $curl = GOOGLE_reCAPTCHA::GOOGLE_reCAPTCHA_API($private_key, $_POST['g-recaptcha-response']);
   if ($curl === false) {
       //handle error message here
       //stop code execution here
   }
   $response = GOOGLE_reCAPTCHA::Execute_Transaction($curl); //Execute the transaction here
   $capcha_response = json_decode($response);
   if($capcha_response->success == false){
       //handle error message here
       //stop code execution here
   }else{
       //validation was successfull
       //allow code execution to continue to other parts of your code
   }
}

The GOOGLE_reCAPTCHA Class

class GOOGLE_reCAPTCHA {
    public static function GOOGLE_reCAPTCHA_API($key, $g_recaptcha_response) {
        $url = "https://www.google.com/recaptcha/api/siteverify";
        
        $transacData = array('secret' => $key,
                             'response'=>$g_recaptcha_response);
        //$TransacPayload = json_encode($transacData);
        
        $curl = curl_init(); //Initialiaze curl
        curl_setopt($curl, CURLOPT_URL, $url);
        curl_setopt($curl, CURLOPT_POST, true);
        curl_setopt($curl, CURLOPT_POSTFIELDS, $transacData);
        curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);'/cacert.pem');
        curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, false);
        return $curl;
    }
    
    public static function Execute_Transaction($curl) {
        $response = curl_exec($curl);
        curl_close($curl);
        return $response;
    }
}
Total
1
Shares
Share 1
Tweet 0
Pin it 0

Ebiti Edide is the back end development team lead at FirstClick and have spent over 17 years doing the same thing; programming. These days what he enjoys most is to teach young people what he has spent years learning, even teaching for free.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

You May Also Like