How to stop SPAM on your web forms using reCAPTCHA
Stop spam. Read books. Sounds like a good concept?
Spammers have become wise to sites that use a "web form" to collect information, like "Comment" forms on YouTube. They use programs to send fake submissions using these forms, usually full of links to undesirable websites. This tutorial will show you how to eliminate SPAM using a clever version of the CAPTCHA system.
CAPTCHA stands for Completely Automated Turing Test To Tell Computers and Humans Apart - it's the image of jumbled and obscured letters you have to enter before buying your tickets on TicketMaster. Making it very difficult for a computer to "read" what's in an image, CAPTCHA ensures that only a human can use a form or system where the image is present.
Step 1 - Sign up for reCAPTCHA
reCAPTCHA is a cool version of this system that puts the entries of the obscured words to good use - they are used to digitize old books that computers couldn't recognize. Sign up for free at http://recaptcha.net/whyrecaptcha.html
Registering adds an extra level of security, meaning that the CAPTCHA image can only be shown on your website, and not by others trying to mass solve CAPTCHAs (yes, that's right)
Step 2 - Get the relevant reCAPTCHA API or Plugin
reCAPTCHA provides easy-to-use plugins for various website systems, like WordPress, Moveable Type, MediaWiki, phpBB, Joomla and more. Go to the reCAPTCHA plugins page to see if they have a plugin for your system.
If they don't, you can still manually add reCAPTCHA to your PHP-based website. Download the reCAPTCHA library for PHP from Google Code as you will need to include recaptchalib.php in the relevant PHP pages.
Step 3 - Add the code to your existing system
The example code included with the reCAPTCHA library is good, but only applies if you are "post"-ing a form to the current page. Very often you'll be posting to a new page, for example from register.php which contains your form, and register_complete.php which deals with your information and might send a confirmation email. You'll need to add code to both pages to ensure the reCAPTCHA is checked properly.
On the page containing the form, in this case register.php, add the following code where you want the reCAPTCHA box to appear:
require_once('recaptchalib.php');
$publickey = "KEY_HERE";
$privatekey = "KEY_HERE";
echo recaptcha_get_html($publickey);
Replace KEY_HERE with the keys you got in Step 1. Then on your receiving page, add the following BEFORE your other code. This is because we will be sending people back to the original page using header() which only works before anything had been sent to the browser.
require_once('recaptchalib.php');
$publickey = "KEY_HERE";
$privatekey = "KEY_HERE";
# the response from reCAPTCHA
$resp = null;
# the error code from reCAPTCHA, if any
$error = null;
$resp = recaptcha_check_answer ($privatekey,
$_SERVER["REMOTE_ADDR"],
$_POST["recaptcha_challenge_field"],
$_POST["recaptcha_response_field"]);
if ($resp->is_valid) {
// Do nothing here, but continue with the rest of the page
}
else {
# set the error code so that we can display it
$error = $resp->error;
header("Location: register.php?error=".$error);
exit();
}
Notice that there's the error appended to the URL in the header() section. To display the error and let your users know that the CAPTCHA was wrong, you'll need to add one last bit of code on the first page in the appropriate place:
if ($_REQUEST['error']) {
echo "Please check the validation image";
}
You could show this in red, or highlighted in a box to draw attention.
Step 4 - Test your form!
It always pays to check and double-check, making sure that there aren't security holes in your code. If all has gone to plan, you shouldn't have any nasty spam to deal with!