0

I am writing a user signup form that will use reCaptcha on a jQuery html web page with a PHP backend. When a successful challenge is entered I am not sure how to submit the information to the PHP backend in such a way that it can't be bypassed. The website is running over HTTPS.

I currently check to see if the captcha is correct via using $.ajax(). This submits the recaptcha_challenge_field and recaptcha_response_fieldto a small PHP script that calls recaptcha_check_answer() and returns success or failure.

Upon success, I can either submit the name, address, phone, etc. fields to another backend PHP script or use another jQuery $.ajax() call.

Either way, a spammer could examine the HTTP requests and submit the form data without using the jQuery front end & reCaptcha.

How can I use reCaptcha and (upon a successful match) submit form data in such a way that a spammer can not easily abuse the system?

jftuga
  • 1,913
  • 5
  • 26
  • 49
  • 1
    What type of checks do you have in your receiving PHP file? I have in the past added a hidden field to the form which would be filled by spambots and then in your PHP you could detect this and stop the PHP processing. I then also have a check to make sure it is a $_POST request. Along with that you could add a referrer check to make sure that only 1 URL is posting to that PHP file. – Fraggy Apr 17 '14 at 19:23
  • @Fraggy: These are great suggestions. Would setting cookies also help? – jftuga Apr 17 '14 at 19:51
  • 1
    You could use cookies, but they can be manipulated easily. I've used nonce fields in Wordpress before to add an extra layer of security. There are some PHP nonce libraries out there, I found this link http://stackoverflow.com/a/4145848/1184998 to a question that has an example of nonces. – Fraggy Apr 17 '14 at 19:55

1 Answers1

0

I was making this too complicated. I ended up having the ajax call submit the captcha and all of the form data at the same time. If and only if the captcha is correct, then I proceed with the rest of the PHP script. Otherwise, I return an error through the same ajax call.

I added a hidden field via $(#my_input").hide() and check to see if a spammer filled it in. I check the http referrer and sanitize all user input.

jftuga
  • 1,913
  • 5
  • 26
  • 49