Skip to content

Instantly share code, notes, and snippets.

@jonathanstark
Last active July 16, 2024 17:06
Show Gist options
  • Save jonathanstark/dfb30bdfb522318fc819 to your computer and use it in GitHub Desktop.
Save jonathanstark/dfb30bdfb522318fc819 to your computer and use it in GitHub Desktop.
Verify Google reCAPTCHA with PHP
#
# Verify captcha
$post_data = http_build_query(
array(
'secret' => CAPTCHA_SECRET,
'response' => $_POST['g-recaptcha-response'],
'remoteip' => $_SERVER['REMOTE_ADDR']
)
);
$opts = array('http' =>
array(
'method' => 'POST',
'header' => 'Content-type: application/x-www-form-urlencoded',
'content' => $post_data
)
);
$context = stream_context_create($opts);
$response = file_get_contents('https://www.google.com/recaptcha/api/siteverify', false, $context);
$result = json_decode($response);
if (!$result->success) {
throw new Exception('Gah! CAPTCHA verification failed. Please email me directly at: jstark at jonathanstark dot com', 1);
}
@Filnor
Copy link

Filnor commented Nov 13, 2017

Works like a charm! Thank you very much!

@ozzi-
Copy link

ozzi- commented Jan 4, 2018

This has a serious problem:

if (!$result->success) {

does not suffices, as success may be returned but as false.

if (!$result->success || $result !== true)

is a fix.

Steps to reproduce:
Replay request containing the captcha -> it will yield success = false & error code.

@Mecanik
Copy link

Mecanik commented Jan 12, 2018

Useful in some situations, thank you!

@KazeZlat
Copy link

@ozzi- reCAPTCHA response always has success property, and it is true when user succeeded and false if doesn't.
So !$result->success means "'success' property of '$result' not equals true", which is sufficent to know if user failed to pass test.

However, you might want to replace that with empty($result->success) so it won't throw you E_NOTICE when request failed and json_decode returned false.

@vic3256
Copy link

vic3256 commented Feb 9, 2018

Thanks!

@kinetic-henza
Copy link

Thanks a lot!!

@RickAQ-Dev
Copy link

Thanks!

@diversen
Copy link

diversen commented May 9, 2018

Nice one!

This one will work if 'allow_url_fopen' is disabled on your server:

https://gist.github.com/diversen/8184ecfe8b796dc809c3cb2c514003a0

@parsa25eng
Copy link

Thanks

@Mecanik
Copy link

Mecanik commented Aug 9, 2018

The correct method of checking result should be:

if (!$result->success || empty($result->success)) {

}

@samsonasik
Copy link

Thank you, actually, empty check should be enough:

if (empty($result->success)) {

}

@InfinitumForm
Copy link

InfinitumForm commented Oct 16, 2018

This is great solution, thanks for this. I made an more spicy solution:

function validate_rechapcha($response){
	// Verifying the user's response (https://developers.google.com/recaptcha/docs/verify)
	$verifyURL = 'https://www.google.com/recaptcha/api/siteverify';
	
	// Collect and build POST data
	$post_data = http_build_query(
		array(
			'secret' => 'YOUR_SECRET_KEY',
			'response' => $response,
			'remoteip' => (isset($_SERVER["HTTP_CF_CONNECTING_IP"]) ? $_SERVER["HTTP_CF_CONNECTING_IP"] : $_SERVER['REMOTE_ADDR'])
		)
	);
	
	// Send data on the best possible way
	if(function_exists('curl_init') && function_exists('curl_setopt') && function_exists('curl_exec')) {
		// Use cURL to get data 10x faster than using file_get_contents or other methods
		$ch =  curl_init($verifyURL);
			curl_setopt($ch, CURLOPT_POST, 1);
			curl_setopt($ch, CURLOPT_POSTFIELDS, $post_data);
			curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
			curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
			curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
			curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 5);
			curl_setopt($ch, CURLOPT_TIMEOUT, 5);
			curl_setopt($ch, CURLOPT_HTTPHEADER, array('Accept: application/json', 'Content-type: application/x-www-form-urlencoded'));
			$response = curl_exec($ch);
		curl_close($ch);
	} else {
		// If server not have active cURL module, use file_get_contents
		$opts = array('http' =>
			array(
				'method'  => 'POST',
				'header'  => 'Content-type: application/x-www-form-urlencoded',
				'content' => $post_data
			)
		);
		$context  = stream_context_create($opts);
		$response = file_get_contents($verifyURL, false, $context);
	}

	// Verify all reponses and avoid PHP errors
	if($response) {
		$result = json_decode($response);
		if ($result->success===true) {
			return true;
		} else {
			return $result;
		}
	}

	// Dead end
	return false; 
}

This is a much faster, universal and more flexible solution.

@mmxcrono
Copy link

This is great solution, thanks for this. I made an more spicy solution:

function validate_rechapcha($response){
	// Verifying the user's response (https://developers.google.com/recaptcha/docs/verify)
	$verifyURL = 'https://www.google.com/recaptcha/api/siteverify';
	
	// Collect and build POST data
	$post_data = http_build_query(
		array(
			'secret' => 'YOUR_SECRET_KEY',
			'response' => $response,
			'remoteip' => (isset($_SERVER["HTTP_CF_CONNECTING_IP"]) ? $_SERVER["HTTP_CF_CONNECTING_IP"] : $_SERVER['REMOTE_ADDR'])
		)
	);
	
	// Send data on the best possible way
	if(function_exists('curl_init') && function_exists('curl_setopt') && function_exists('curl_exec')) {
		// Use cURL to get data 10x faster than using file_get_contents or other methods
		$ch =  curl_init($verifyURL);
			curl_setopt($ch, CURLOPT_POST, 1);
			curl_setopt($ch, CURLOPT_POSTFIELDS, $post_data);
			curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
			curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
			curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
			curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 5);
			curl_setopt($ch, CURLOPT_TIMEOUT, 5);
			curl_setopt($ch, CURLOPT_HTTPHEADER, array('Accept: application/json', 'Content-type: application/x-www-form-urlencoded'));
			$response = curl_exec($ch);
		curl_close($ch);
	} else {
		// If server not have active cURL module, use file_get_contents
		$opts = array('http' =>
			array(
				'method'  => 'POST',
				'header'  => 'Content-type: application/x-www-form-urlencoded',
				'content' => $post_data
			)
		);
		$context  = stream_context_create($opts);
		$response = file_get_contents($verifyURL, false, $context);
	}

	// Verify all reponses and avoid PHP errors
	if($response) {
		$result = json_decode($response);
		if ($result->success===true) {
			return true;
		} else {
			return $result;
		}
	}

	// Dead end
	return false; 
}

This is a much faster, universal and more flexible solution.

This worked well for me. I had issues with using file_get_contents on a certain server, possibly due to permissions and access, so good ol' curl did the trick.

@m1001111
Copy link

m1001111 commented Dec 12, 2018

This is great solution, thanks for this. I made an more spicy solution:

function validate_rechapcha($response)
{
	// Verifying the user's response (https://developers.google.com/recaptcha/docs/verify)
	$verifyURL = 'https://www.google.com/recaptcha/api/siteverify';

	$query_data = [
		'secret' => 'Key',
		'response' => $response,
		'remoteip' => (isset($_SERVER["HTTP_CF_CONNECTING_IP"]) ? $_SERVER["HTTP_CF_CONNECTING_IP"] : $_SERVER['REMOTE_ADDR'])
	];

	// Collect and build POST data
	$post_data = http_build_query($query_data, '', '&');

	// Send data on the best possible way
	if (function_exists('curl_init') && function_exists('curl_setopt') && function_exists('curl_exec'))
	{
		// Use cURL to get data 10x faster than using file_get_contents or other methods
		$ch = curl_init($verifyURL);
		curl_setopt($ch, CURLOPT_POST, 1);
		curl_setopt($ch, CURLOPT_POSTFIELDS, $post_data);
		curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
		curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
		curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
		curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 5);
		curl_setopt($ch, CURLOPT_TIMEOUT, 5);
		curl_setopt($ch, CURLOPT_HTTPHEADER, array('Accept: application/json', 'Content-type: application/x-www-form-urlencoded'));
		$response = curl_exec($ch);
		curl_close($ch);
	}
	else
	{
		// If server not have active cURL module, use file_get_contents
		$opts = array('http' =>
			array(
				'method' => 'POST',
				'header' => 'Content-type: application/x-www-form-urlencoded',
				'content' => $post_data
			)
		);
		$context = stream_context_create($opts);
		$response = file_get_contents($verifyURL, false, $context);
	}

	// Verify all reponses and avoid PHP errors
	if ($response)
	{
		$result = json_decode($response);
		if ($result->success === true)
		{
			return true;
		}
		else
		{
			return $result;
		}
	}

	// Dead end
	return false;
}

Change http_build_query($query_data, '', '&');

@minecc
Copy link

minecc commented Oct 2, 2021

Error Code 0xc000001

@MediaMaquina
Copy link

How do i render the captcha after clicking the button but before the ajax response is shown?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment