Jump to content
MakeWebGames

reCaptcha

Damond

By Damond
in Modification Support

 Share

Recommended Posts

Damond Newbie

Damond

Posted
Posted (edited)

Simple question.

Has anyone changed to using reCaptcha to limit auto refreshers and if so what is the process?

Every thing I am reading is telling me it has to be on a form submit, but I'm looking more for it to pop up after checking if you have done it in the last hour on certain pages.

I have a small captcha system now but it is very dated and I have a few users who are blind. Their screen readers are not able to read our current captcha system. Now I have three or four telling me that after entering the code correctly, the very next time the code comes up the display is blank. They are having to clear their cache and reopen the game to get the code to display.

All of these problems are pointing me at replacing the captcha system.

UPDATE:

As I am a novice coder, less then 1yr experience, it is not very often that I get a chance to answer a question posted here. I find myself reading and learning from the other coders more then offering advice.

That changes a little today with me answering my own post. I am going to explain in detail how to implement googles new reCaptcha v2.0 in McCodes v2. It has taken me several day to do it but at last it works and I am ready at last to share what I have learned with a community that has taught me so much.

So here we go.

Step 1: Signing up.

First thing you need to do is signup for the FREE service by going to the site http://recaptcha.net

Here you will need to assign a name to the captcha you are going to use for your own later use. Basically if you are going to use several different captchas on the same site you can name them to make them easier to find later if you need to make updates.

Next enter your domain.

And then a contact email for notification of anyone tampering with your system.

Register the info and it will take you to a new page where it is going to show you a public key and a privet key. These two things are the most important of the whole system.

Under the keys it will show you client side coding well as server side coding.

This is where I started having problems. Apparently on the server side coding they already expect you to have a certain level of coding knowledge that as a novice I just didn't have. There are no examples of the coding to work off of nor are there really clear instructions. Don't worry thought after hours of searching and trying different bits of code I finally got all this to work.

Step 2: Adding in the coding.

This is actually much simpler then it seems. You are going to need to update three PHP pages. header.php, macro1.php, and macro2.php

We will start with the header.php

A very simple addition:

This little bit of code calls for googles recaptcha api javascript. Make sure that you place it BEFORE the closing head tag in the header. </head>

<script src="https://www.google.com/recaptcha/api.js" async defer></script>

 

Next macro1.php

When I first started this page was 50 - 60 lines long. It was generating images and number letter combinations... Now reCaptcha take care of all of that for you.

You will see the generate widget comment. The line of code right under it is what displays the reCaptcha widget on your site. Replace == YOUR PUBLIC KEY == with the public key generated on the register site. That is now the whole page.

<?php
include "globals.php";
// make sure user is supposed to be here
if(!$set['validate_on'] || $ir['verified']) {
   showErrMsg("What are you doing on this page?");
}

// the page that sent you here
$ref=$_GET['refer'];

print "<h3>Captcha</h3><hr />
<div class=minion_hunt>
This is a necessary evil to prevent cheating.  It resets every hour. <br><br>
<sub>**Five failures in a row will result in 1 day on the banished isle**</sub></div><br>

// form
<form action='macro2.php' method='post'>
// carry over the starting page
<input type='hidden' name='refer' value='{$_GET['refer']}' />
// generate the widget for the captcha
<div class='g-recaptcha' data-theme='dark' data-sitekey='== YOUR PUBLIC KEY =='></div>
//must have a submit button
<input type='submit' value='Verify' /></form>";
$h->endpage();
?>

 

Finally the big one macro2.php

This page is going to verify the data from the captcha. Here is where the google explanation gets a little fuzzy... They tell you to use a json obj to verify the response from the captcha.. ok... what is a json obj? I still have no idea.. But after hours and hours of searching I found the right way to write the code. 

// make sure user is supposed to be here
if(!$set['validate_on'] || $ir['verified']) {
die("What are you doing on this page?");
}
if(isset($_POST['g-recaptcha-response']))
    $captcha=$_POST['g-recaptcha-response'];
    // If the captcha is blank send them back
    if(!$captcha){
         echo '<h2>Please check the the captcha form.</h2>';
         header("Location: macro1.php?refer={$_POST['refer']}");
         exit;
       }
    // Check the response from google REPLACE: YOUR PRIVET CODE with the privet code from registration.
       $response=json_decode(file_get_contents("https://www.google.com/recaptcha/api/siteverify?secret=YOUR PRIVET CODE&response=".$captcha."&remoteip=".$_SERVER['REMOTE_ADDR']), true);
    // If they fail send them back to try again update failed = +1  
     if($response['success'] == false) {
         echo '<h2>You failed the captcha!</h2>';
         $db->query("UPDATE users SET failed=failed+1 WHERE userid={$userid}");
	  header("Location: macro1.php?refer={$_POST['refer']}");
	  exit;
       } else {
         $ref=$_POST['refer'];
	  $db->query("UPDATE users SET verified=1 WHERE userid={$userid}");
	  header("Location: $ref");
       }

?>

 

And thats all there is to it. Google does all the rest of the work. There is no need to upload a captcha DB or js file anymore.

I really hope that this helps someone else out there to use this new reCaptcha system.

Edited by Damond
Update
Link to comment
Share on other sites
Damond Newbie

Damond

Posted
  • Author
Posted

[MENTION=68711]KyleMassacre[/MENTION]

Thanks for the response but it looks like once again we have posted at the exact same time. LOL I did finally figure out the proper way of using the system and have it implemented on my site. I updated my OP with the instructions.

Link to comment
Share on other sites
~Rob0t Newbie

~Rob0t

Posted
Posted

[MENTION=70655]Damond[/MENTION] - I read your OP and saw you haven't had a lot of time programming, so here's some pointers;

 

  • Don't send output before a header() redirect (line 12 and line 21) - you'll get a "Headers already sent" error message (unless you use output control)
  • file_get_contents

     

Link to comment
Share on other sites
~Rob0t Newbie

~Rob0t

Posted
Posted
Pretty sure that the allow_url_fopen setting is on within php because when I last updated the server. I activated the setting. Of course I could be wrong, it was awhile ago.

Sure, on some installs. Depends on your sysadmin though.

Also, if you have a shared server, it may be disabled.

Link to comment
Share on other sites
Damond Newbie

Damond

Posted
  • Author
Posted

After a bit of reading I have found that a better way to redirect a user with a bad answer or a blank answer is to us a META refresh directed at the right page.

So replacing:

header("Location: macro1.php?refer={$_POST['refer']}");

 

With: 

echo '<META http-equiv="refresh" content="5;URL= /macro1.php?refer=' . $_POST['refer'] . '"">';

 

Solves the problem of "cannot add header information, headers already sent" Giving it a 5 second delay allows the user time to read their mistake before being redirected.

Link to comment
Share on other sites
~Rob0t Newbie

~Rob0t

Posted
Posted (edited)
After a bit of reading I have found that a better way to redirect a user with a bad answer or a blank answer is to us a META refresh directed at the right page.

So replacing:

header("Location: macro1.php?refer={$_POST['refer']}");

 

With: 

echo '<META http-equiv="refresh" content="5;URL= /macro1.php?refer=' . $_POST['refer'] . '"">';

 

Solves the problem of "cannot add header information, headers already sent" Giving it a 5 second delay allows the user time to read their mistake before being redirected.

Just to point out...

From the w3;

> The objective of this technique is to enable redirects on the client side without confusing the user. Redirects are preferably implemented on the server side [...] The page containing the redirect code should only contain information related to the redirect.

So "better" in terms of lazy development, sure. ;) Also, read http://www.w3.org/TR/2015/NOTE-WCAG20-TECHS-20150226/SVR1

Edit

What if the value of $_POST['refer'] is;

" content=""><META http-equiv="refresh" content="0;URL= http://my-malicious-site.com/hack_damonds_account.php"><foo bar="

 

Where is the sanitisation?

Edited by ~Rob0t
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...