Integration of ReCaptcha into Eform

59 Posts

Paul Bakulich Reply #1, 14 years, 5 months ago

I am starting this topic as I have a real problem... and I’m very new to PHP...

I need to integrate the reCaptcha into eForm...
but the main problem is...

the eForm submits the data before reCaptcha gets to work..

this is what I have....
a Recaptcha snippet....

<?php
# Set Snippet Paths
$snipFolder = isset($snipFolder)?$snipFolder:'recaptcha';
$snipPath = $modx->config["base_path"].'assets/snippets/'.$snipFolder.'/';

require_once($snipPath."recaptchalib.php");
$publickey = "--my publickey is here---";
$privatekey = "--my privatekey is here--";

# are we submitting the page?
if($_POST["submit"]) {
          
              $resp = recaptcha_check_answer ($privatekey,
                                $_SERVER["REMOTE_ADDR"],
                                $_POST["recaptcha_challenge_field"],
                                $_POST["recaptcha_response_field"]);

if (!$resp->is_valid) {
  die ("The reCAPTCHA wasn't entered correctly. Go back and try it again." .
       "(reCAPTCHA said: " . $resp->error . ")");
   }
}
echo recaptcha_get_html($publickey, $error);
?>

which is totally copied off the ReCaptcha site...

and all I am doing is calling it onto the Form ie [[recaptcha]]

The reCaptcha is displaying nicely... but how do I let it validate before eForm grabs all attention...

I have tried cutting the Snippet in two so that the displaying part loads then I use another snippet with a function call to do the validation... doesn’t work the way I implemented...

Your guys help would be greatly appreciated.. this project is a public charity organisation... getting people motivated & empowering them to contact their government representatives....

P.S. Sorry Can you move this to the Eform Child Board.. Thanks!
Thanks

Paul AL Bakulich - Association for Computing Machinery Professional Member
http://palbakulich.me/ | http://twitter.com/#!/palhmbs

24,544 Posts

BobRay Reply #2, 14 years, 5 months ago

I think you would need to either do the validation with JavaScript, or set a $_SESSION variable that will survive the reload and check that.

BTW, if you’re willing to give up reCaptcha (which many people find hard to read), eForm and SPForm both have their own built-in Captca implementations.

SPForm has a mathstring option that shows the user an image containing a simple equation to solve. So far it’s been unbreakable and with a little effort, it can be integrated into eForm.

Did I help you? Buy me a beer
Get my Book: MODX:The Official Guide
MODX info for everyone: http://bobsguides.com/modx.html
My MODX Extras
Bob's Guides is now hosted at A2 MODX Hosting

59 Posts

Paul Bakulich Reply #3, 14 years, 5 months ago

Hi Bob...

I’ve been reading up on the Captcha thing in Modx....

I also found a reCaptcha snippet that works for Jot...
but Captcha didn’t work for me.... I had the usual trouble... even locked myself out of the
manager....

I think it could all come back to GoDaddy and the Register_Globals = off thing...

I know I have all the GD libraries working... as the ReCaptcha and Captcha were both displaying...
Just not validating....

I tried using the hidden field thing on &eFormOnValidate=`checkfield` and loading the function before my eform snippet ie... [!eCheckField!] but couldn’t get it to display a validation error...
(That suggestion was there... http://modxcms.com/forums/index.php/topic,34567.msg249120.html#msg249120)

Could you elucidate me on what steps I need to take to do this...
"Validation with JavaScript, or set a $_SESSION variable that will survive the reload and check that."

I will check out your suggestions tho.. thanks! Really, really want to keep ReCaptcha....

BTW My Modx Site Config....

MODx version 1.0.0
Version codename rev 5601
Database Version: 5.0.67.d7-ourdelta-log
Database Collation Charset utf8_general_ci
PHP Version 5.2.8
Linux blahblah.shr.prod.phx3.secureserver.net
Server API CGI/FastCGI
sendmail_path /usr/sbin/sendmail -t -i
SMTP relay-hosting.secureserver.net

Paul AL Bakulich - Association for Computing Machinery Professional Member
http://palbakulich.me/ | http://twitter.com/#!/palhmbs

59 Posts

Paul Bakulich Reply #4, 14 years, 5 months ago

I think storing $_SESSION variables so that I can reload the page
or using javascript to pre-validate the reCaptcha

on the Form is what I need to do...
but I don’t quite know how to implement!

I have a piece of code attached that is an example on how to store session variables in php
but I don’t know how to implement in Modx....

Paul AL Bakulich - Association for Computing Machinery Professional Member
http://palbakulich.me/ | http://twitter.com/#!/palhmbs

24,544 Posts

BobRay Reply #5, 14 years, 5 months ago

You shouldn’t need anything that complicated.

Just this to save the session variable:

$_SESSION['whatever'] = $myVariable;

and, when you want to get it back:

$someVariable = $_SESSION['whatever_you_saved_it_as'];

at the point where you know the user is valid or now, save some keyword in a session variable. Then you can check for it at any point later on.

Did I help you? Buy me a beer
Get my Book: MODX:The Official Guide
MODX info for everyone: http://bobsguides.com/modx.html
My MODX Extras
Bob's Guides is now hosted at A2 MODX Hosting

59 Posts

Paul Bakulich Reply #6, 14 years, 5 months ago

At the moment I am trying to code in this method....

My snippet is going to unset the $_POST
save the sessions field values
and then give them back

unset($_POST['formid']);

$_SESSION['name']  =  $fields['name'];  // do this for each field!!

$fields['name'] = $_SESSION['name'];  // do this for each field!!

Am I on the right track?

Hope this works!

Paul AL Bakulich - Association for Computing Machinery Professional Member
http://palbakulich.me/ | http://twitter.com/#!/palhmbs

59 Posts

Paul Bakulich Reply #7, 14 years, 5 months ago

The above doesn’t work.... Here’s the steps I need....

1. User Fills in the Form
2. User Enters the ReCaptcha
3. Validate the ReCaptcha & submit the form or return the ReCaptcha Error (in the correct place

).

I think I need to do the ReCaptcha validation with a Javascript step
(I will try to put a javascript function in (instead of the ’submit’ on the form)

The javascript can then dynamically submit the form if the ReCaptcha is vaid!

Paul AL Bakulich - Association for Computing Machinery Professional Member
http://palbakulich.me/ | http://twitter.com/#!/palhmbs

24,544 Posts

BobRay Reply #8, 14 years, 5 months ago

Quote from: paulhomebus at Nov 05, 2009, 07:29 PM

The javascript can then dynamically submit the form if the ReCaptcha is valid!

I’m no JS expert but that sounds about right. Here’s some of the code SPForm uses:

In the html form:

<form action="[[~[[*id]]]]" method="post" onsubmit="return checkform(this);">

Code to insert the checkform js:
<?php
 $src = '<script type="text/javascript"> ';
    $src .= ' /* <![CDATA[ */ ';
    $src .= 'var requireName = ';
    $this->spfconfig["requireName"]? $src .= "true; " : $src .= "false; ";

$src .= 'function checkform (form) { ';

        $src .= 'if (requireName == true) { ';
            $src .= 'if (form.name.value == "") { ';
                $src .= 'alert( "Please enter your name" ); ';
                $src .= 'form.name.focus(); ';
                $src .= 'return false; ';
            $src .= '} ';
        $src .= '} ';

    $src .= '} ';

    $src .= ' /* ]]> */ ';
    $src .= '</script> ';

    $this->modx->regClientStartupScript($src);
?>

If you’re code returns false, the form won’t be submitted. Note that this isn’t Javascript code, it’s PHP code that creates JS code, so you should be able to do your reCaptcha check in PHP and just set a variable that the JS code will act on.

Did I help you? Buy me a beer
Get my Book: MODX:The Official Guide
MODX info for everyone: http://bobsguides.com/modx.html
My MODX Extras
Bob's Guides is now hosted at A2 MODX Hosting

59 Posts

Paul Bakulich Reply #9, 14 years, 5 months ago

I’ve been told by someone in the know that the bots can easily bypass any javascript functions...

So I have been hacking at eform.inc.php again... I have replaced the vericode check with my own..
which means that in my snippet I set the flag &vericode=`1`

and replace code in eform.inc.php below this....
# check vericode
if($vericode) {

with this....

		# check vericode
		if($vericode) {

    		$CaptchaPath = $modx->config["base_path"].'assets/snippets/recaptcha/'; 
 
		require_once($CaptchaPath."recaptchalib.php");
		$privatekey = "---my key---";
			$resp = recaptcha_check_answer()


			if ($resp->is_valid) {
			    break; // echo "You got it!";
   			 } else {
		    # set the error code so that we can display it. You could also use
   		    # die ("reCAPTCHA failed"), but using the error message is
    		    # more user friendly
    			die $vMsg[count($vMsg)]= $_lang['ef_failed_vericode'],  // "This died!";
       			"(reCAPTCHA said: " . $resp->error . ")");	// $error = $resp->error;
  				}
			}

At the moment it is giving me the error message... when means it is processing but isn’t checking the ($resp) properly...

I think I am only a step away from getting this to work...
Will let you know when I do!

Thanks Bob for your suggestions...

Paul AL Bakulich - Association for Computing Machinery Professional Member
http://palbakulich.me/ | http://twitter.com/#!/palhmbs

24,544 Posts

BobRay Reply #10, 14 years, 5 months ago

BTW, if you need real security, reCaptha might not be the answer. It uses dictionary words and you only have to get one of them right. Bots are getting better at decoding the captcha images and the only way to fight that is to make the images harder for humans to read. Also there’s a pretty easy way around it.

You just throw up a free porn site and insert the captcha images from sites you want to log on to as part of the free login to the porn site. The porn visitors solve the captchas for you and you send the correct response to the target site.

In the third world, children are hired for pennies a day to log onto sites with Captcha.

SPForm has a bunch of spam-proofing options (the equation, hidden form field, require mouse or keyboard, hidden key to prevent direct use of the mail function, etc.). I consider it a lot more secure from bots than reCaptcha but nothing is hack-proof.

There’s also a Mollom class for MODx that’s quite promising. It won’t show captcha images to your regular visitors and Mollom constantly monitors for bots, blocks them by IP and return address, and changes the captcha style frequently. Mollom can also respond to the quality of the content sent in an email or comment form using a complex algorithm.

Did I help you? Buy me a beer
Get my Book: MODX:The Official Guide
MODX info for everyone: http://bobsguides.com/modx.html
My MODX Extras
Bob's Guides is now hosted at A2 MODX Hosting