How can I implement Google Recaptcha v3 in a PHP form?

php recaptcha contact-form recaptcha-v3

10,603

I have searched this and other forums to implement the new version of ReCaptcha (V3) in my forms. I needed to know how to:

Insert it with JS
How to validate it with PHP
What new fields were needed in my form.

I did not find any simple solution, which would show me all these points, or it was too complicated for somebody who just wanted to insert a contact form on their website.

At the end, taking some code portions of multiple solutions, I use a simple and reusable code, in which you only have to insert the corresponding keys.

Here it is.

The basic JS code

<script src="https://www.google.com/recaptcha/api.js?render=your reCAPTCHA site key here"></script>
<script>
    grecaptcha.ready(function() {
    // do request for recaptcha token
    // response is promise with passed token
        grecaptcha.execute('your reCAPTCHA site key here', {action:'validate_captcha'})
                  .then(function(token) {
            // add token value to form
            document.getElementById('g-recaptcha-response').value = token;
        });
    });
</script>

The basic HTML code

<form id="form_id" method="post" action="your_action.php">
    <input type="hidden" id="g-recaptcha-response" name="g-recaptcha-response">
    <input type="hidden" name="action" value="validate_captcha">
    .... your fields
</form>

The basic PHP code

    if(isset($_POST['g-recaptcha-response'])){
        $captcha=$_POST['g-recaptcha-response'];
    }
    else
        $captcha = false;

    if(!$captcha){
        //Do something with error
    }
    else{
        $secret = 'Your secret key here';
        $response = json_decode(file_get_contents("https://www.google.com/recaptcha/api/siteverify?secret=".$secret."&response=".$captcha."&remoteip=".$_SERVER['REMOTE_ADDR']));
        if($response->{'success'}==false)
        {
            //Do something with error
        }
    }
    
   //... The Captcha is valid you can continue with the rest of your code
  //... Add code to filter access using $response . score
    if ($response->{'success'}==true && $response->{'score'} <= 0.5) {
        //Do something to denied access
    }

You have to filter access using the value of $response->{'score'}. It can takes values from 0.0 to 1.0, where 1.0 means the best user interaction with your site and 0.0 the worst interaction (like a bot). You can see some examples of use in ReCaptcha documentation.

You only have to add your keys, no more changes needed:

    src="https://www.google.com/recaptcha/api.js?render=your reCAPTCHA site key here"    
    grecaptcha.execute('your reCAPTCHA site key here'

and

    $secret = 'Your secret key here';

Obviously you also have to change the action of the form, in this example:

    action = "your_action.php"

10,603

Author by

kikerrobles

I'm a full stack developer from Spain. Most of my web applications were deployed with Laravel as PHP framework.

Updated on June 14, 2022

Comments

kikerrobles about 2 years

I would like to insert a contact form the new version (V3) of Recaptcha.

I have looked for different solutions, but they only show part of the code, they are incomplete or I get an error, and most of the solutions found are very complicated for something so simple and I do not understand the code.
GrumpyCrouton over 5 years

Thank you for contributing!
VenomRush over 5 years

Google needs to have more thorough documentation for reCaptcha. I spent hours trying to figure out why I wasn't getting it to work, only to find out that they failed to mention adding a hidden form field for the token to be added to.
a coder almost 5 years

Can you explain what {action:'validate_captcha'} does on the execute line of the JS? The only other reference is this hidden field: <input type="hidden" name="action" value="validate_captcha">. Trying to debug my instance and I'm unsure what this is doing.
kikerrobles almost 5 years

It's just for adding actions, in this code it's making nothing. You can have more information in developers.google.com/recaptcha/docs/v3 in Actions.
Els den Iep over 4 years

After using your code: how can we test if the recaptcha is working?
kikerrobles over 4 years

You can add an else condition after if($response.success==false), but if $response.success is true means that it's working. You can use $response->score too to do some actions.
clayRay almost 4 years

This code needs to be changed. ReCaptcha times out after 2 minutes, so grecaptcha.execute() needs to be called when the form is submitted, not on grecaptcha.ready()