Damond Posted October 5, 2015 Share Posted October 5, 2015 (edited) Simple question. Has anyone changed to using reCaptcha to limit auto refreshers and if so what is the process? Every thing I am reading is telling me it has to be on a form submit, but I'm looking more for it to pop up after checking if you have done it in the last hour on certain pages. I have a small captcha system now but it is very dated and I have a few users who are blind. Their screen readers are not able to read our current captcha system. Now I have three or four telling me that after entering the code correctly, the very next time the code comes up the display is blank. They are having to clear their cache and reopen the game to get the code to display. All of these problems are pointing me at replacing the captcha system. UPDATE: As I am a novice coder, less then 1yr experience, it is not very often that I get a chance to answer a question posted here. I find myself reading and learning from the other coders more then offering advice. That changes a little today with me answering my own post. I am going to explain in detail how to implement googles new reCaptcha v2.0 in McCodes v2. It has taken me several day to do it but at last it works and I am ready at last to share what I have learned with a community that has taught me so much. So here we go. Step 1: Signing up. First thing you need to do is signup for the FREE service by going to the site http://recaptcha.net Here you will need to assign a name to the captcha you are going to use for your own later use. Basically if you are going to use several different captchas on the same site you can name them to make them easier to find later if you need to make updates. Next enter your domain. And then a contact email for notification of anyone tampering with your system. Register the info and it will take you to a new page where it is going to show you a public key and a privet key. These two things are the most important of the whole system. Under the keys it will show you client side coding well as server side coding. This is where I started having problems. Apparently on the server side coding they already expect you to have a certain level of coding knowledge that as a novice I just didn't have. There are no examples of the coding to work off of nor are there really clear instructions. Don't worry thought after hours of searching and trying different bits of code I finally got all this to work. Step 2: Adding in the coding. This is actually much simpler then it seems. You are going to need to update three PHP pages. header.php, macro1.php, and macro2.php We will start with the header.php A very simple addition: This little bit of code calls for googles recaptcha api javascript. Make sure that you place it BEFORE the closing head tag in the header. </head> <script src="https://www.google.com/recaptcha/api.js" async defer></script> Next macro1.php When I first started this page was 50 - 60 lines long. It was generating images and number letter combinations... Now reCaptcha take care of all of that for you. You will see the generate widget comment. The line of code right under it is what displays the reCaptcha widget on your site. Replace == YOUR PUBLIC KEY == with the public key generated on the register site. That is now the whole page. <?php include "globals.php"; // make sure user is supposed to be here if(!$set['validate_on'] || $ir['verified']) { showErrMsg("What are you doing on this page?"); } // the page that sent you here $ref=$_GET['refer']; print "<h3>Captcha</h3><hr /> <div class=minion_hunt> This is a necessary evil to prevent cheating. It resets every hour. <br><br> <sub>**Five failures in a row will result in 1 day on the banished isle**</sub></div><br> // form <form action='macro2.php' method='post'> // carry over the starting page <input type='hidden' name='refer' value='{$_GET['refer']}' /> // generate the widget for the captcha <div class='g-recaptcha' data-theme='dark' data-sitekey='== YOUR PUBLIC KEY =='></div> //must have a submit button <input type='submit' value='Verify' /></form>"; $h->endpage(); ?> Finally the big one macro2.php This page is going to verify the data from the captcha. Here is where the google explanation gets a little fuzzy... They tell you to use a json obj to verify the response from the captcha.. ok... what is a json obj? I still have no idea.. But after hours and hours of searching I found the right way to write the code. // make sure user is supposed to be here if(!$set['validate_on'] || $ir['verified']) { die("What are you doing on this page?"); } if(isset($_POST['g-recaptcha-response'])) $captcha=$_POST['g-recaptcha-response']; // If the captcha is blank send them back if(!$captcha){ echo '<h2>Please check the the captcha form.</h2>'; header("Location: macro1.php?refer={$_POST['refer']}"); exit; } // Check the response from google REPLACE: YOUR PRIVET CODE with the privet code from registration. $response=json_decode(file_get_contents("https://www.google.com/recaptcha/api/siteverify?secret=YOUR PRIVET CODE&response=".$captcha."&remoteip=".$_SERVER['REMOTE_ADDR']), true); // If they fail send them back to try again update failed = +1 if($response['success'] == false) { echo '<h2>You failed the captcha!</h2>'; $db->query("UPDATE users SET failed=failed+1 WHERE userid={$userid}"); header("Location: macro1.php?refer={$_POST['refer']}"); exit; } else { $ref=$_POST['refer']; $db->query("UPDATE users SET verified=1 WHERE userid={$userid}"); header("Location: $ref"); } ?> And thats all there is to it. Google does all the rest of the work. There is no need to upload a captcha DB or js file anymore. I really hope that this helps someone else out there to use this new reCaptcha system. Edited October 6, 2015 by Damond Update Quote Link to comment Share on other sites More sharing options...
KyleMassacre Posted October 6, 2015 Share Posted October 6, 2015 I have never used recaptcha but have you looked at Dave's captcha module he made? also, if you look here: http://www.coolfields.co.uk/2009/12/text-for-screen-readers-only/ you can put the captcha text inside the screen reader that only they will be able to parse unless some other sighted person knows what to look for in your page Quote Link to comment Share on other sites More sharing options...
Damond Posted October 6, 2015 Author Share Posted October 6, 2015 [MENTION=68711]KyleMassacre[/MENTION] Thanks for the response but it looks like once again we have posted at the exact same time. LOL I did finally figure out the proper way of using the system and have it implemented on my site. I updated my OP with the instructions. Quote Link to comment Share on other sites More sharing options...
KyleMassacre Posted October 6, 2015 Share Posted October 6, 2015 Very good. One thing though is you need to hold to your threat. It says that if you enter the captcha a wrong 5 times in a row you get banned, do it!!! Haha Quote Link to comment Share on other sites More sharing options...
~Rob0t Posted October 6, 2015 Share Posted October 6, 2015 [MENTION=70655]Damond[/MENTION] - I read your OP and saw you haven't had a lot of time programming, so here's some pointers; Don't send output before a header() redirect (line 12 and line 21) - you'll get a "Headers already sent" error message (unless you use output control) file_get_contentsDon't wrap json_decode() around file_get_contents() as this can return FALSE and not JSON (line 16). Ensure you have JSON before trying to decode. file_get_contents() will only work on external URLs if you've configured PHP to do so with allow_url_fopen. Either ensure that setting is set to 1, use curl, or fsockopen Quote Link to comment Share on other sites More sharing options...
Damond Posted October 6, 2015 Author Share Posted October 6, 2015 [MENTION=71587]~Rob0t[/MENTION] Thanks for the info. I will have to do a lot more reading to figure out how to correct my mistakes that you have pointed out. Quote Link to comment Share on other sites More sharing options...
Veramys Posted October 6, 2015 Share Posted October 6, 2015 Pretty sure that the allow_url_fopen setting is on within php because when I last updated the server. I activated the setting. Of course I could be wrong, it was awhile ago. Quote Link to comment Share on other sites More sharing options...
~Rob0t Posted October 6, 2015 Share Posted October 6, 2015 Pretty sure that the allow_url_fopen setting is on within php because when I last updated the server. I activated the setting. Of course I could be wrong, it was awhile ago. Sure, on some installs. Depends on your sysadmin though. Also, if you have a shared server, it may be disabled. Quote Link to comment Share on other sites More sharing options...
Veramys Posted October 6, 2015 Share Posted October 6, 2015 We are on a vps atm though we will be switching before too long to a dedicated. Quote Link to comment Share on other sites More sharing options...
Damond Posted October 6, 2015 Author Share Posted October 6, 2015 After a bit of reading I have found that a better way to redirect a user with a bad answer or a blank answer is to us a META refresh directed at the right page. So replacing: header("Location: macro1.php?refer={$_POST['refer']}"); With: echo '<META http-equiv="refresh" content="5;URL= /macro1.php?refer=' . $_POST['refer'] . '"">'; Solves the problem of "cannot add header information, headers already sent" Giving it a 5 second delay allows the user time to read their mistake before being redirected. Quote Link to comment Share on other sites More sharing options...
~Rob0t Posted October 6, 2015 Share Posted October 6, 2015 (edited) After a bit of reading I have found that a better way to redirect a user with a bad answer or a blank answer is to us a META refresh directed at the right page. So replacing: header("Location: macro1.php?refer={$_POST['refer']}"); With: echo '<META http-equiv="refresh" content="5;URL= /macro1.php?refer=' . $_POST['refer'] . '"">'; Solves the problem of "cannot add header information, headers already sent" Giving it a 5 second delay allows the user time to read their mistake before being redirected. Just to point out... From the w3; > The objective of this technique is to enable redirects on the client side without confusing the user. Redirects are preferably implemented on the server side [...] The page containing the redirect code should only contain information related to the redirect. So "better" in terms of lazy development, sure. ;) Also, read http://www.w3.org/TR/2015/NOTE-WCAG20-TECHS-20150226/SVR1 Edit What if the value of $_POST['refer'] is; " content=""><META http-equiv="refresh" content="0;URL= http://my-malicious-site.com/hack_damonds_account.php"><foo bar=" Where is the sanitisation? Edited October 6, 2015 by ~Rob0t Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.