dongxin8392 2018-09-27 00:45
浏览 49

如何在表单输入的php白名单中包含Google RECAPTCHA 2

I have a form that I decided to include Google recaptcha as an added measure of security. When I added the recaptcha it triggers an error because the recaptcha is not whitelisted. I read that HTML5 does not allow assigning the name attribute to div. i.e. <div name="myName"></div>. Against convention, I tried adding a name attribute to the recaptcha div and adding that name to the whitelist. That approach failed. There is an iframe within the recaptcha div that has the name attribute. I tried using the iframe name in the whitelist. That approach also failed. There is a hidden input that has an id="recaptcha-token". I added 'recaptcha-token' to the whitelist. This approach also failed. The hidden input is generated by the recaptcha api, so I don't think I have a means of assigning a name attribute to this input. Does anyone have a workaround or suggestion ?

Note: form validation and whitelist all worked as expected prior to adding recaptcha.

Recaptcha works as expected if I eliminate the whitelisting of the form inputs.

This is the div within the form.

<div class="row">
  <div class="col-md-12">
    <div class="g-recaptcha" data-sitekey="<?php print $public_key;?>"></div>
  </div>
</div>

There is a hidden input within the form that contains a token. This input & token are completely separate of the Google Recaptcha. However this token must be verified before the form inputs are compared to the $whitelist.

Here are the code blocks:

function verifyFormToken($form) {
    if(!isset($_SESSION[$form.'_token'])) { 
        $errors[]= "Session not set and no token";
        return false;
    }else{
        //echo 'Session token is set.'.'</br>';
    }   

    if(!isset($_POST['token'])) {
        $errors[]= 'No form token was sent!'.'</br>';
        return false;
    }

    if ($_SESSION[$form.'_token'] !== $_POST['token']) {
        $errors[]= 'tokens don\'t match!'.'</br>';
        return false;
        die();
    }else{
        //echo 'Tokens match. Good to go.'.'</br>';
        return true;
    }   
}

    // VERIFY LEGITIMACY OF TOKEN
if (verifyFormToken('form1')) {
    // Build a whitelist of form inputs
    $whitelist = array('token','req-fName','req-lName','req-email','req-phone','req-address','req-city','req-   state','req-zip','req-message','req_method','req-dateDepart','req-dateReturn','recaptcha-token','submit');

    foreach ($_POST as $key=>$item) {
        if (!in_array($key, $whitelist)) {
            writeLog('Unknown form fields');
            die('Hack-Attempt detected. Only the fields originally included in the form are allowed!');
        }
    } 
}
  • 写回答

1条回答 默认 最新

  • dongyingtang3803 2018-09-28 07:31
    关注

    This answer came from phpbuilder.com Turns out that I needed to include "g-recaptcha-response" in the whitelist. Hope this helps anyone else facing this issue.

    评论

报告相同问题?

悬赏问题

  • ¥15 ETLCloud 处理json多层级问题
  • ¥15 matlab中使用gurobi时报错
  • ¥15 这个主板怎么能扩出一两个sata口
  • ¥15 不是,这到底错哪儿了😭
  • ¥15 2020长安杯与连接网探
  • ¥15 关于#matlab#的问题:在模糊控制器中选出线路信息,在simulink中根据线路信息生成速度时间目标曲线(初速度为20m/s,15秒后减为0的速度时间图像)我想问线路信息是什么
  • ¥15 banner广告展示设置多少时间不怎么会消耗用户价值
  • ¥15 可见光定位matlab仿真
  • ¥15 arduino 四自由度机械臂
  • ¥15 wordpress 产品图片 GIF 没法显示