0

Situation

I have a newsletter sign up form provided by a third party to integrate on our website. We are getting a lot of spam contacts and the partner only supports reCAPTCHA V2 checkbox for inline integration - this is not user friendly and I have never seen a newsletter sign up form with an interrupting captcha on other sites. So we'll have to use our own.

Standard method with PHP token verification

Google Recaptcha v3 example demo

Problem

I can't use another PHP action on the form-element to check the token in the backend because it is already used by the third party action. Is there any chance to get reCAPTCHA V3 working with such a form?

Third party form code

<form method="POST" action="https://xxx.xxxxxx.com/proc.php" id="_form_11_" novalidate>
    <div class="_form-content">
        <div class="_form_element">
            <div class="_field-wrapper">
                <input type="text" name="email" placeholder="Email" required />
            </div>
        </div>
        <div class="_button-wrapper _full_width">
            <button id="_form_11_submit" class="_submit" type="submit">
                Anmelden
            </button>
        </div>
    </div>
</form>
flip
  • 15
  • 4
  • Recaptcha v3 is browser / JS-based, so your form action is largely irrelevant as far as I can see. https://developers.google.com/recaptcha/docs/v3 . Only snag is I assume there's no point sending the token to the 3rd party's backend because they won't have code set up to verify it. So you run the risk that someone simply bypasses it and uses another tool to send requests directly to the 3rd party URL. – ADyson Mar 26 '21 at 15:04
  • Although... https://developers.google.com/recaptcha/docs/verify seems to be the same for v2 and v3 so it's possible the server-side code would work the same for both types of frontend. Worth a test, I'd say – ADyson Mar 26 '21 at 15:07
  • Thank you for the quick reply. I have to admit, I'm more of a designer than a developer, and the Google Docs on Verify are a little cryptic to me. In all of the guides I have found so far, PHP is used to check the token. Could you perhaps have an example of how such an implementation for a form could look without the action? – flip Mar 26 '21 at 15:31
  • Well the form is nothing to do with the PHP. The difference between v2 and v3 is that you use some JS or config to trigger the captcha scoring process in the background. You've already said that the PHP part isn't under your control, but given my guess that the server-side code process to verify the score token is the same for both versions. So _probably_ if your provider already supports v2 then chances are they can support v3 as well without making any changes to their PHP. – ADyson Mar 26 '21 at 15:43
  • It looks to me like based on the first link I gave you, you'd follow steps 1 exactly as-is in the docs, and then step 2 `function onSubmit(token) { document.getElementById("_form_11_").submit(); }`, step 3 `` would need to become `` – ADyson Mar 26 '21 at 15:48
  • That's off the top of my head, I haven't tested it. But hopefully you get the idea. – ADyson Mar 26 '21 at 15:48
  • Ah ok, it looks like I got that completely wrong. I thought we could run the reCAPTCHA check on OUR site and server and if the test passed, the information would be sent to the provider. I'll see if it works like that. Thank you so far! – flip Mar 26 '21 at 16:28

0 Answers0