PHP and ReCaptcha

Peceiver

Today's pain: http://code.google.com/apis/recaptcha/docs/php.html
Getting the above to function on my site..

All your guidance, advice, criticism is appreciated.

Peceiver

So far I have visible:
1. the form
2. the recaptcha

working on mail() func

Peceiver

 <table>
       <tbody bgcolor="#EFEFF5">
       <form name="helpform" method="post" action="">
        <div id="recaptcha">
		<?php require_once('include/recaptchalib.php');
  $publickey = "****************************** "; // you got this from the signup page
  echo recaptcha_get_html($publickey); 
  		?>
        </div>
          <tr id="contactform">
              <td>Your Email: </td>
              <td>
                	<input name="FROM" type="text" size="40" maxlength="30" value="<?php echo stripslashes(trim(htmlentities($FROM))) ?>" onFocus="this.value==this.defaultValue?this.value='':null">
              </td>
              </tr>
          <tr id="contactform">
              <td>First Name: </td>
              <td>
                	<input name="fname" type="text" size="40" maxlength="20" value="<?php echo stripslashes(trim(htmlentities($fname)))?>" onFocus="this.value==this.defaultValue?this.value='':null">
              </td>
          </tr>
          <tr id="contactform">
              <td>Last Name: </td>
              <td>
                	<input name="lname" type="text" size="40" maxlength="20" value="<?php echo stripslashes(trim(htmlentities($lname)))?>" onFocus="this.value==this.defaultValue?this.value='':null">
              </td>
          </tr>
          <tr id="contactform">
              <td>Message: </td>
              <td>
            	<textarea name="message" rows="5" cols="31" maxlength="200" value="<?php echo stripslashes(trim(htmlentities($message)))?>" wrap="physical"></textarea>
              </td>
          </tr>
              </tr>
          <tr>
          		<td>
                <input type="submit" value="Submit" action="mail()">
                </td>
          </tr>

      </form>

Peceiver

<?php
 	 $errors = array();

 //READ the user recaptcha
 require_once('recaptchalib.php');
 $privatekey = "****************************";
 $resp = recaptcha_check_answer ($privatekey,
								 $_SERVER["REMOTE_ADDR"],
								 $_POST["recaptcha_challenge_field"],
								 $_POST["recaptcha_response_field"]);

 //READ the posted form data
 $fromemail = $_POST['fromemail'];
 $fname = $_POST['fname'];
 $lname = $_POST['lname'];
 $message = $_POST['message'];

 //VALIDATE form data exists
 if(!isset($frommail) ||
    !isset($fname) ||
    !isset($lname) ||
    !isset($message)){
	echo 'We are sorry, but there appears to be a problem with the form you submitted.';      
 }else{
	echo 'success';
	}

	$fromemail = stripslashes($fromemail);
	$fname = stripslashes($fname);
	$lname= stripslashes($lname);
	$message = stripslashes($message);

	$fromemail = trim(htmlentities($fromemail));
	$fname = trim(htmlentities($fname));
	$lname= trim(htmlentities($lname));
	$message = trim(htmlentities($message));

	//VALIDATE !errors
  if (!empty($errors)){
	redirect_to("http://www.******.com/index.php");	
	}

	//CREATE the email form data
	$to = "customerservice@******.com"; 
	$subject = $fname . " " . $lname;
	$headers = "From: " . $fromemail;


  if (!$resp) {
	   // What happens when the CAPTCHA was entered incorrectly
	   echo ("The reCAPTCHA wasn't entered correctly. Go back and try it again." .
			"(reCAPTCHA said: " . $resp->error . ")");
  }else {
   // Your code here to handle a successful verification
   echo "SUCCESS!";
  }


	mail($to, $subject, $message, $headers);

 ?>

bradgrafelman

Is there a problem/question anywhere in here, or is it just a general code critique you're after?

Peceiver

Yes I have errors.

So far I am able to get information sent through to my email, however form validation is failing hard.

I want to use:
htmlentities,
stripslashes,
trim,
recaptcha...

will post code soon, thanks.

Peceiver

ok so I also have the problem of form data staying stored persistently.. even when i close the website and load it!

Best practice in clearing a form on submit?

bradgrafelman

Nothing "stores" the form except possibly your browser. So... disable the auto-save feature (or whatever it's called) in your browser.

Peceiver

ty brad, i resolved that problem.

The actual form now is functioning... but the recaptcha validation fails.

<?php
 	 $errors = array();

 //READ the user recaptcha
 require_once('recaptchalib.php');
 $privatekey = "*******************************";
 $resp = recaptcha_check_answer ($privatekey,
								 $_SERVER["REMOTE_ADDR"],
								 $_POST["recaptcha_challenge_field"],
								 $_POST["recaptcha_response_field"]);

 //READ the posted form data
 $fromemail = $_POST['fromemail'];
 $fname = $_POST['fname'];
 $lname = $_POST['lname'];
 $message = $_POST['message'];

 //VALIDATE form data exists
 if(!isset($fromemail) ||
    !isset($fname) ||
    !isset($lname) ||
    !isset($message));/*{
	echo 'We are sorry, but there appears to be a problem with the form you submitted.';      
 }else{
	echo 'SUCCESS';
	}*/

	$fromemail = stripslashes($fromemail);
	$fname = stripslashes($fname);
	$lname= stripslashes($lname);
	$message = stripslashes($message);

	$fromemail = trim(htmlentities($fromemail));
	$fname = trim(htmlentities($fname));
	$lname= trim(htmlentities($lname));
	$message = trim(htmlentities($message));

	$mail = "(mail($to, $subject, $message, $headers))";

  if ($resp) {
	 $mail;
  }else{
	 // What happens when the CAPTCHA was entered incorrectly
	 echo ("The reCAPTCHA wasn't entered correctly. Go back and try it again." .
			"(reCAPTCHA said: " . $resp->error . ")");  
  }

	//CREATE the email form data
	$to = "customerservice@****.com"; 
	$subject = $fname . " " . $lname;
	$headers = $fromemail;

	if ($mail){
		header("Location: http://www.****.com/index.php");
	}else{
		header("Location: http://www.****.com/contact.php");	
	}
 ?>

bradgrafelman

What value does $resp have when it fails? What about $POST["recaptcha_challenge_field"] and $POST["recaptcha_response_field"]?

Peceiver

	  if (!$verify->is_valid) {
      		echo $errors[] = 'response to captcha' . "<br/>" . 'reCAPTCHA said: ' . $resp->error;
        } else {
        	echo 'success';
		}

I am trying to get an accurate error, however I can only have it echo back my response in quotes.

WARNING: extreme newbie.

Peceiver

$recaptcha_challenge_field = $POST["recaptcha_challenge_field"];
$recaptcha_response_field = $POST["recaptcha_response_field"];

 echo $recaptcha_challenge_field;
 echo $recaptcha_response_field;

so according to this.. they are not getting posted.
strange because I have no way of seeing the code in the form other than :

                    [code=php]<?php 
		require_once('include/recaptchalib.php');
		$publickey = "6LcylcUSAAAAAIStvJkS0HG72aavZuoUGj-wIGQS "; 
		// you got this from the signup page
		echo recaptcha_get_html($publickey); 
		?>[/code]

Is there something else I need to add to the form? perhaps some INPUTS for them?

Peceiver

soo close to a completed form with recaptcha.. everything but the validation.

//The verify.php file

<?php
	 //READ the posted form data
	    $fromemail = htmlspecialchars($_POST['fromemail']);
	    $fname = htmlspecialchars($_POST['fname']); 
	    $lname = htmlspecialchars($_POST['lname']); 
	    $message = htmlspecialchars($_POST['message']);

 echo "$fromemail" . " " . "$fname" . " " . "$lname" . " " . "$message" . "<br/>";

 //VALIDATE form data exists
	!isset($fromemail) || empty($fromemail) ||
    !isset($fname) || empty($fname) ||
    !isset($lname) || empty($lname) ||
    !isset($message);

	//CREATE safe text
	$fromemail = stripslashes($fromemail);
	$fname = stripslashes($fname);
	$lname= stripslashes($lname);
	$message = stripslashes($message);

	// CREATE safe text
	$fromemail = trim($fromemail);
	$fname = trim($fname);
	$lname= trim($lname);
	$message = trim($message);

	//CREATE the email form data
	$to = "customerservice@*****.com"; 
	$subject = "Accreu-". $fname . " " . $lname;
	$headers = "From: " .$fromemail;
	$mail = 'mail($to, $subject, $message, $headers)';

	$privatekey = "*********************************";

 $recaptcha_challenge_field = htmlspecialchars($_POST["recaptcha_challenge_field"]);
 $recaptcha_response_field = htmlspecialchars($_POST["recaptcha_response_field"]);
 e
 cho $recaptcha_challenge_field;
 echo $recaptcha_response_field;

 //READ the user recaptcha
  require_once('recaptchalib.php');
   $verify = recaptcha_check_answer ($privatekey,
								 $_SERVER["REMOTE_ADDR"],
								 $recaptcha_challenge_field,
								 $recaptcha_response_field);									 
  if (!$verify->is_valid) {
  		echo 'response to captcha' . "<br/>" . 'reCAPTCHA said: ' . $resp->error;
    } else {
    	echo 'success';
	}	
 ?>

//The form

 

<form name="helpform" method="post" action="include/verify.php">
        <div id="recaptcha">
			<?php 
			require_once('include/recaptchalib.php');
  			$publickey = "******************************-wIGQS"; 
			// you got this from the signup page
  			echo recaptcha_get_html($publickey); 
  			?>
        </div>
          <tr id="contactform">
              <td>Your Email: </td>
              <td>
                	<input name="fromemail" type="text" size="40" maxlength="30">
              </td>
              </tr>
          <tr id="contactform">
              <td>First Name: </td>
              <td>
                	<input name="fname" type="text" size="40" maxlength="30">
              </td>
          </tr>
          <tr id="contactform">
              <td>Last Name: </td>
              <td>
                	<input name="lname" type="text" size="40" maxlength="30" >
              </td>
          </tr>
          <tr id="contactform">
              <td>Message: </td>
              <td>
            	<textarea name="message" rows="6" cols="31" maxlength="222" wrap="physical"></textarea>
              </td>
          </tr>
              </tr>
          <tr>
          		<td>
                <input type="submit" value="Submit">
                </td>
          </tr>

      </form>

Lets build some confidence in me that PHP is the bom.

bradgrafelman

Peceiver;10983053 wrote:
strange because I have no way of seeing the code in the form

Of course you do; visit the page in your browser and view the rendered output of your script. Look in the HTML source code and find the section where the CAPTCHA code is supposed to be inserted.

Once you've done that, can you post that HTML here for us to see?

Peceiver

Savvy.

<input id="recaptcha_response_field" type="text" name="recaptcha_response_field" style="border: 1px solid #3c3c3c; width: 302px;" autocomplete="off">

johanafm

Peceiver;10983053 wrote:

$recaptcha_challenge_field = $_POST["recaptcha_challenge_field"];
$recaptcha_response_field = $_POST["recaptcha_response_field"];

echo $recaptcha_challenge_field;
echo $recaptcha_response_field;

so according to this.. they are not getting posted.

According to what...? There is no output? You get an E_NOTICE about undefined index?
printf('<pre>%s</pre>', print_r($POST,1)); will show you everything contained in $POST.
Anyway, looking at your last posted code, there is no challenge field, just a response field. And if that's just a copy-paste error, perhaps the problem is using htmlspecialchars on recaptcha challenge and response data? I've no idea how that function works, so I can't say for sure, but it's a possibility.

And some other things I recommend you fix

# Why htmlspecialchars?
$fromemail = htmlspecialchars($_POST['fromemail']);
$fname = htmlspecialchars($_POST['fname']); 
$lname = htmlspecialchars($_POST['lname']); 
$message = htmlspecialchars($_POST['message']);

/* Email address input: John Doe<john@example.com>
 * Email address output: John Doe&lt;john@example.com&gt;
 * Subject input: Please read & reply asap
 * Subject output: Please read &amp; reply asap
 */


# Since you removed the if statement, this now does absolutely nothing
!isset($fromemail) || empty($fromemail) ||
!isset($fname) || empty($fname) ||
!isset($lname) || empty($lname) ||
!isset($message);


//CREATE safe text
# Safe how?
$fromemail = stripslashes($fromemail);
$fname = stripslashes($fname);
$lname= stripslashes($lname);
$message = stripslashes($message);
/* message input:
 * You should find the folder under C:\users\accountname\
 * message output
 * You should find the folder under C:usersaccountname
 */


// CREATE safe text
# Safe how?
$fromemail = trim($fromemail);
$fname = trim($fname);
$lname= trim($lname);
$message = trim($message);
/* message input:
	Hi
That's all!
 * message output:
Hi
That's all
 * using trim on names and email address is ok, but if the user wants to start his
 * message with one or more whitespaces, why not let him?
 */ 


# Once again, why the htmlspecialchars?
$recaptcha_challenge_field = htmlspecialchars($_POST["recaptcha_challenge_field"]);
$recaptcha_response_field = htmlspecialchars($_POST["recaptcha_response_field"]);

# linebreak?
e
cho $recaptcha_challenge_field;
echo $recaptcha_response_field;