2

I was previously using reCAPTCHA V1 in conjunction with FormMail.cgi from Matt's Script Archive, with the following Perl function to validate the reCAPTCHA response:

sub check_captcha {

    my $ua = LWP::UserAgent->new();
    my $result=$ua->post(
        'http://www.google.com/recaptcha/api/verify',
        {
            privatekey => 'MyPrivateKey',
            remoteip   => $ENV{'REMOTE_ADDR'},
            challenge  => $Form{'recaptcha_challenge_field'},
            response   => $Form{'recaptcha_response_field'}
        }
    );
    if ( $result->is_success && $result->content =~ /^true/) {
        return;
    } else {
        &error('captcha_failed');
    }
}

reCAPTCHA V1 is shutting down at the end of March 2018 and so I need to move to reCAPTCHA V2, however, I'm having trouble validating the response in the CGI script.

Based on the server side documentation, here is what I've tried so far (without success):

sub check_captcha {

    my $ua = LWP::UserAgent->new();
    my $result=$ua->post(
        'https://www.google.com/recaptcha/api/siteverify',
        {
            secret     => 'MyPrivateKey',
            remoteip   => $ENV{'REMOTE_ADDR'},
            response   => $Form{'g-recaptcha-response'}
        }
    );
    if ( $result->is_success && $result->content =~ /"success": true/ ) {
        return;
    } else {
        &error('captcha_failed');
    }
}

The above always branches to the 'captcha_failed' error.

Thank you in advance for your time reading my question, I appreciate any assistance the community could offer.

Many thanks!

Lee Mac
  • 15,615
  • 6
  • 32
  • 80
  • 4
    You are seriously using the form mailer from Matt's Script Archive in 2018? – simbabque Jan 02 '18 at 14:57
  • 1
    Have you printed out the response content? Does the request succeed? Can you install additional modules on your server to load debugging tools? It would be interesting to see the communication between your script and Google. – simbabque Jan 02 '18 at 15:00
  • @simbabque I'm very inexperienced in this area and FormMail from Matt's Script Archive was the best solution I could find at the time. Could you possibly suggest something more appropriate to drive a simple website contact form please? – Lee Mac Jan 02 '18 at 15:11
  • 1
    It really depends on what kid of hosting you have. If it's really just a contact form, CGI is not a problem I guess. But that code is **OLD**. And you're probably not using all its features, if it has any. [This talk](https://www.youtube.com/watch?v=jKOqtRMT85s) explains why CGI is not the best choice today. But if you're on shared hosting, you don't have a lot of alternatives. You can write relatively clean, modern code even with CGI (or with a Plack setup on CGI) though. Stick together a couple of modules, a few lines of code, and it will be way nicer than that old stuff. – simbabque Jan 02 '18 at 15:16
  • @simbabque Thank you for the information, I appreciate your time. I am indeed on shared hosting and unable to install additional modules on the web server. After watching the video you linked, I am discouraged from using CGI, but fear that I have no choice given my hosting. Nevertheless, thank you for your suggestions. – Lee Mac Jan 02 '18 at 15:41

1 Answers1

2

I can't see any obvious problems with your code. But I wonder why you're implementing this yourself when Google::reCAPTCHA exists.

use Google::reCAPTCHA;

my $c = Google::reCAPTCHA->new( secret => 'MyPrivateKey' );

# Verifying the user's response 
my $success = $c->siteverify(
  response => $Form{'g-recaptcha-response'},
  remoteip => $ENV{'REMOTE_ADDR'},
);

if ( $success ) {
  # CAPTCHA was valid
}

And why are you using code from Matt's Script Archive?

Dave Cross
  • 68,119
  • 3
  • 51
  • 97
  • Many thanks Dave, I wasn't aware that existed and so I really appreciate the steer in the right direction. I'm on shared hosting and after contacting my hosting provider, I find I'm unable to install additional Perl modules on the server. Therefore, is the above still a viable option? As for Matt's Script Archive - I'm very inexperienced in web development in general and that was the best solution I could find at the time to drive my site contact form - I realise it's not ideal. – Lee Mac Jan 02 '18 at 15:45
  • 2
    Well, Google::reCAPTCHA is a single source file, so you *could* just copy it into a suitable directory on the server. But it uses Params::Validate, which is a little harder to install. But, honestly, shared hosting is not a good place to try to run Perl applications. Most providers have no idea how to provide a reasonable Perl development environment. If you want to stick with Perl (and I'd encourage you to do that) then I'd recommend looking at a service that gives you the ability to install your own software. – Dave Cross Jan 02 '18 at 15:52