hello, I’m using Blocs v 5.2.6. I have recently faced sql injection attack using forms, 100 of messages were sent to me. So I decided to add recaptcha (site key, etc. are correct) but as I’ve tested multiple times forms are being submitted even if recaptcha is not completed.
Found this is happening when using external mailing system e.g. Gmail and other, it is missing Recaptcha code from php files related forms.
// ================== RECAPTCHA CHECK START ==================
$captcha = $_POST['g-recaptcha-response'] ?? '';
if (!$captcha) {
// The user did not check the reCAPTCHA box at all
echo 'capture-error';
exit;
}
$secretKey = 'YOUR_SECRET_KEY'; // <-- Replace with your secret key
$ip = $_SERVER['REMOTE_ADDR'];
$response = file_get_contents(
"https://www.google.com/recaptcha/api/siteverify?secret="
. $secretKey
. "&response="
. $captcha
. "&remoteip="
. $ip
);
$responseKeys = json_decode($response, true);
if (empty($responseKeys["success"]) || $responseKeys["success"] !== true) {
// The user did not pass the reCAPTCHA challenge or connection error
echo 'capture-connection-error';
exit;
}
// ================== RECAPTCHA CHECK END ==================