Comments on: Validating reCaptcha with jQuery and AJAX

By: Joe

Joe — Fri, 04 Jun 2010 21:45:19 +0000

Thanks for this – with a few tweaks I was able to implement it directly into my site.

By: Zastrahovki

Zastrahovki — Wed, 02 Jun 2010 07:17:06 +0000

is there any working for I can see, there is one posted link in the comments is no longer using this method .
Regards

By: Jonathan Trowbridge

Jonathan Trowbridge — Tue, 01 Jun 2010 21:26:59 +0000

Thank you for posting this!

By: Tom

Tom — Mon, 26 Apr 2010 22:20:29 +0000

@Bucabay

As I was reading through the comments from this post I thought of the exact same solution. If you check the reCAPTCHA using Ajax, simply set a session variable if the check succeeded.

Then when you go to do the server-side validation, you will know if the person is already validated; just check the same session variable.

Don’t forget to unset your session variable after performing your actions, or a bot master could pass the test once, then spam like crazy subsequently because he is still validated.

By: Bucabay

Bucabay — Thu, 22 Apr 2010 23:19:31 +0000

Note that you need to save the captcha validation result in the session. If you just use JavaScript, you essentially just have JavaScript validation, which bots ignore anyway.
So you just made it harder for humans to submit the form, and did nothing for the bots that visit it.

In the page that validates the captcha:

if ($resp->is_valid) {
session_start();
echo ‘success’;
$_SESSION['captcha'] = 1;
}

Then on the PHP page that processes the form:

if (!$_SESSION['captcha']) {
// someone tried to bypass the captcha. Don’t waste your resources
die;
}

By: Chris

Chris — Mon, 19 Apr 2010 03:10:45 +0000

I fully plan to figure out a better way to do all of this, but I just haven’t had the time lately.

By: Jay

Jay — Fri, 02 Apr 2010 19:16:02 +0000

Heya – I’m a bit of a hack, and seem to be having the same issue as Bobby above – The validation works gret, but the form never gets submitted. What am I missing? Can you help?

By: Robert Sinton

Robert Sinton — Wed, 24 Mar 2010 20:12:57 +0000

PS If anyone else is getting as frustrated as me by trying to do all this in a single ajax operation talking directly the the reCaptch API server, you are almost certainly going to be defeated by browser security practices, preventing your page from directly loading the response from the reCaptcha domain.

No doubt that is why Chris used a separate local php script to do the checking in the first place.

By: Robert Sinton

Robert Sinton — Wed, 24 Mar 2010 19:23:18 +0000

Re: the issue with bypassing the reCaptcha if the checking is built into the front end rather than the form-processing script: you definitely do need to take extra steps to handle that.

Alex mentioned that he is going to handle the processing during the validation operation, so in a sense there is no form-processing script, at least not one that does the ‘real’ work.

This week I implemented a two-stage form, where we needed to verify the user’s humanity at both stages, but didn’t want to put them though two reCaptchas. I implemented this by setting a random temporary ‘password’ on the user’s customer record in the backend database once they had passed the first stage, and then incorporated that password into a hidden field in the second-stage form. Seeing that password come back with the submission of the second-stage form proved the user’s humanity without requiring any extra action on their part.

By: Jan

Jan — Wed, 24 Feb 2010 13:19:20 +0000

Hello

I see that you use ajax.recaptcha.php to validate if a captcha is correct and then if it is, it is submited

But when someone hacks the page, he can force it to just post it anyway.

So I would like a more secure solution, that the check is done on the server and when the check is successful the filled in form is send to the database or whatever has to happen

So everything including the filled in form and captcha is send to the server.

So far as I can see this is not 100% waterproof

Could you please update me on this, since I’m looking for a solid solution to integrate a captcha in a jquery modal dialog.

Jan

By: Chris

Chris — Fri, 19 Feb 2010 05:14:28 +0000

@nesh I will indeed.

By: nesh

nesh — Fri, 29 Jan 2010 19:37:53 +0000

@Chris

will you be posting the article that works with a current version of reCaptcha and incorporates all the comments and stuff? thanks

By: Chris

Chris — Mon, 25 Jan 2010 21:11:31 +0000

@Alex

When I wrote this, reCaptcha didn’t have their own exposed AJAX API methods so I had to use alternate methods. I have finally cleared enough off my table at work to redo this article with a current version of reCaptcha.

By: bobby

bobby — Mon, 04 Jan 2010 19:56:21 +0000

I got the recaptcha thing to work .. but its not submitting the form ? it just says … Success. Submitting form.

how do i get it to actually submit the form ?

By: James

James — Wed, 16 Dec 2009 20:57:23 +0000

You are a life saver. I had the same problem with using jquery validate and the remote call — I wanted the result to send back true or false and either reload the recaptcha or recognize that it was filled out correctly. That worked, but then the form wouldn’t submit. Used your tip to finish it off. The form is in action at http://www.ontaponline.com/register.

If anyone wants the full code just let me know and I can post it or email it.

Cheers.