How to include Google RECAPTCHA 2 in whitelist of form inputs.

Ask about general coding issues or problems here.

Moderators: egami, macek, gesf

Post Reply
kman894
New php-forum User
New php-forum User
Posts: 2
Joined: Wed Sep 26, 2018 10:49 am

Wed Sep 26, 2018 11:30 am

I have a form that I decided to include Google recaptcha as an added measure of security.
When I added the recaptcha it triggers an error because the recaptcha is not whitelisted.
I read that HTML5 does not allow assigning the name attribute to div. i.e. <div name="myName"></div>.
Against convention, I tried adding a name to the recaptcha div and adding that name to the whitelist. That approach failed.
There is an iframe within the div that has the name attribute. I tried using the iframe name in the whitelist. That approach also failed.
There is a hidden input that has an id="recaptcha-token". I added 'recaptcha-token' to the whitelist. This approach also failed.
The hidden input is generated by the recaptcha api, so I don't think I have a means of assigning a name attribute to this input.
Does anyone have a workaround or suggestion ?

Note: form validation and whitelist all worked as expected prior to adding recaptcha.

This is the div within the form.

Code: Select all

<div class="row">
  <div class="col-md-12">
    <div class="g-recaptcha" data-sitekey="<?php print $public_key;?>"></div>
  </div>
</div>

There is a hidden input within the form that contains a token. This token is completely separate of the Google Recaptcha. However this token must be verified before the form inputs are compared to the $whitelist.

Here are the code blocks:

Code: Select all

function verifyFormToken($form) {
        if(!isset($_SESSION[$form.'_token'])) { 
		$errors[]= "Session not set and no token";
    		return false;
        }else{
		//echo 'Session token is set.'.'</br>';
	}
    			
    	if(!isset($_POST['token'])) {
		$errors[]= 'No form token was sent!'.'</br>';
		return false;
        }
    	
    	if ($_SESSION[$form.'_token'] !== $_POST['token']) {
		$errors[]= 'tokens don\'t match!'.'</br>';
    		return false;
		die();
        }else{
    	//echo 'Tokens match. Good to go.'.'</br>';
    	return true;
	}	
    }
 
// VERIFY LEGITIMACY OF TOKEN
    if (verifyFormToken('form1')) {
	    // Building a whitelist array with keys which will send through the form, no others would be accepted 		later on
        $whitelist = array('token','req-fName','req-lName','req-email','req-phone','req-address','req-city','req-	state','req-zip','req-message','req_method','req-dateDepart','req-dateReturn','recaptcha-token','submit');
            
        // Building an array with the $_POST-superglobal 
        foreach ($_POST as $key=>$item) {
			
       // Check if the value $key (fieldname from $_POST) can be found in the whitelisting array, if not, die with a short message to the hacker
            if (!in_array($key, $whitelist)) {
	   	writeLog('Unknown form fields');
		//die('Hack-Attempt detected. Only the fields originally included in the form are allowed!');
		echo "Hack-Attempt detected.";
            }
        } 
	}
I can also provide a screenshot of the html expanded in the chrome developer pane if required.
Thanks in advance for having a look at this.

kman894
New php-forum User
New php-forum User
Posts: 2
Joined: Wed Sep 26, 2018 10:49 am

Thu Sep 27, 2018 11:39 pm

This answer came from phpbuilder.com
Turns out that I needed to add
g-recaptcha-response
to the whitelist.
Hope this will help anyone else if they face this issue.

Post Reply