google 使用 PHP 重新验证的问题

Issue with google recpatcha using PHP

我在我的网站查询表单中使用 google recaptcha。我使用 cURL 而不是 file_get_contents(),因为我的服务器的 allow_url_fopen 由于安全问题被禁用。这是我验证 recaptcha 的代码:

        <?php
        $response=htmlspecialchars($_POST["captcha"]);
        $secret = "my_secret_key";
        $curl = curl_init();

        $captcha_verify_url = "https://www.google.com/recaptcha/api/siteverify";

        curl_setopt($curl, CURLOPT_URL,$captcha_verify_url);
        curl_setopt($curl, CURLOPT_POST, true);
        curl_setopt($curl, CURLOPT_POSTFIELDS, "secret=".$secret."&response=".$response);
        curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);

        $captcha_output = curl_exec ($curl);
        curl_close ($curl);
        $decoded_captcha = json_decode($captcha_output);
        $captcha_status = $decoded_captcha['success']; // store validation result to a variable.
        if($captcha_status === FALSE){
          echo "fail";
        }
        else
        {
          echo "success";
        }
        ?>

我的问题是当我检查 recaptcha 时,如果我将 google url 更改为任何内容或将我的密钥更改为任何内容,我会得到响应成功。如果密钥不正确,应该不会 return 成功吧?即使我更改 google_verify_url 我也会得到成功响应。我不明白发生了什么。我这边有什么问题吗?

http://php.net/manual/en/function.json-decode.php

assoc When TRUE, returned objects will be converted into associative arrays.

$decoded_captcha = json_decode($captcha_output, true);

更好地捕获异常:

try {
 ......
} catch (Throwable $exception) {
   echo $exception;
}

当您发送带有错误参数的请求时,curl 的响应将是 NULL 而不是 FALSE,这就是为什么它总是 returns success。你也有一个警告,因为你使用一个对象作为数组。这应该有效:

$response = htmlspecialchars($_POST["captcha"]);
$secret = "my_secret_key";
$curl = curl_init();

$captcha_verify_url = "https://www.google.com/recaptcha/api/siteverify";

 curl_setopt($curl, CURLOPT_URL, $captcha_verify_url);
 curl_setopt($curl, CURLOPT_POST, true);
 curl_setopt($curl, CURLOPT_POSTFIELDS, "secret=".$secret."&response=".$response);
 curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);

 $captcha_output = curl_exec($curl);
 curl_close ($curl);

 $decoded_captcha = json_decode($captcha_output, TRUE); // Changed the second parameter 
 $captcha_status = $decoded_captcha['success'];

 if($captcha_status == NULL){ // Changed False to Null
   echo "fail";
 } else {
   echo "success";
 }