How to test reCAPTCHA v3 and make sure it works?

I

IwanIwanow2021-03-23 17:00:11

reCAPTCHA

IwanIwanow, 2021-03-23 17:00:11

Google 's instructions say:

Automatically Bind Call to Button
The easiest way to use reCAPTCHA v3 on your page is to include the necessary JavaScript resource and add a few attributes to your html button.

First you need to add scripts to the site:

<script src="https://www.google.com/recaptcha/api.js"></script>

<script>
   function onSubmit(token) {
     document.getElementById("demo-form").submit();
   }
</script>

And the attributes for the form button:

<button class="g-recaptcha" 
        data-sitekey="reCAPTCHA_site_key" 
        data-callback='onSubmit' 
        data-action='submit'>Submit</button>

In the first script

<script src="https://www.google.com/recaptcha/api.js"></script>

I was alarmed by the lack of a public key in the link, which is why the recaptcha logo did not appear on the site in the lower right corner. By adding the /recaptcha/api.js?render=mysitekey12345 key here and the recaptcha logo appeared on my site, after which I decided that now it should work, but I really don’t understand if I achieved this.

The button in my form is not implemented through the tag , it is through , but I added attributes to it:<button><input type="submit" id="Anketa">

<input type="submit" id="Anketa" data-sitekey="mysitekey12345" data-callback='onSubmit' data-action='submit'>

, and added id="demo-form" to the form tag.

Questions:

1) Now after the test self-submission of the form, everything happens as usual, i. I don't see any trace of recaptcha activity and can't be sure if it works. How can I check and make sure that the recaptcha really protects my form?

2) Suppose the recaptcha works, but what happens if the user makes an unsuccessful form submission and the recaptcha takes him for a bot - will it prompt the user to select images, give an error, or even not alert the user while the form does not submit?

3) There are different ways to integrate recaptcha, given on different resources - how do they differ from the solution proposed by Google, which I resorted to?

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

A

Alexander, 2021-05-12
@IwanIwanow

Recaptcha of the third version works using neural networks, analyzes the behavior and other signs of the client on the site and issues the result of request processing in the form of a response

'success' => true,
   'challenge_ts' => '2021-05-12T10:56:23Z',
   'hostname' => 'site.ru',
   'score' => 0.90000000000000002,
   'action' => 'submit',

Where score is the score of the user who submitted the request.
Such an answer can be obtained by inserting the following code on the back-end (if the scripts are in PHP)

/*СОЗДАЕМ ФУНКЦИЮ КОТОРАЯ ДЕЛАЕТ ЗАПРОС НА GOOGLE СЕРВИС*/
  function getCaptcha($SecretKey) {
      $Response = file_get_contents("https://www.google.com/recaptcha/api/siteverify?secret=".SECRET_KEY."&response={$SecretKey}");
      $Return = json_decode($Response);
      return $Return;
  }
  
  /*ПРОИЗВОДИМ ЗАПРОС НА GOOGLE СЕРВИС И ЗАПИСЫВАЕМ ОТВЕТ*/
  $Return = getCaptcha($_POST['g-recaptcha-response']);

  //var_dump($_POST['g-recaptcha-response']);

  /*ВЫВОДИМ НА ЭКРАН ПОЛУЧЕННЫЙ ОТВЕТ*/
  //var_dump($Return);
  
  /*ЕСЛИ ЗАПРОС УДАЧНО ОТПРАВЛЕН И ЗНАЧЕНИЕ score БОЛЬШЕ 0,5 ВЫПОЛНЯЕМ КОД*/
  if($Return->success == true && $Return->score > 0.5){

тут код по дальнейшим действиям с формой

}

Those. after you have inserted the JS code, when submitting the form, the data from reCAPTCHA is transmitted ($_POST['g-recaptcha-response'])
This parameter must be passed as described above in the PHP code and receive a response, based on this, carry out further processing forms in normal mode or not.