hey so i have this submite form on my website for a few months but so now and then bots still manage to submit my form even tough I do use recaptcha
what am i doing wrong?
code PHP
<pre><html>
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<link href="https://cdn.jsdelivr.net/npm/bootstrap@5.1.3/dist/css/bootstrap.min.css" rel="stylesheet" integrity="sha384-1BmE4kWBq78iYhFldvKuhfTAU6auU8tT94WrHftjDbrCEXSU1oBoqyl2QvZ6jIW3" crossorigin="anonymous">
<link rel="stylesheet" href="style.css">
<script src=
"https://www.google.com/recaptcha/api.js" async defer>
</script>
<script src="https://www.google.com/recaptcha/enterprise.js?render=6Lci2pkkAAAAAMiyayyetw1U-CPysP2Ibbmk6nVz"></script>
<title>Contact formulier</title>
</head>
<style>
.welkom{
background-color: #66b3ff;
background-image: url("delta_fiber_logo.png");
background-repeat: no-repeat;
background-position: center;
position: relative;
height: 50%;
margin-bottom: 5%;
display: flex;
justify-content: center;
}
.welkom p{
padding-top: 10%;
color: #fff;
font-family: Arial;
font-size: 60px;
}
</style>
<body>
<div class="welkom">
<!--
</div>
<div class="submit_form">
<h1> Contact formulier</h1>
<form action="contactform_backend.php" method="post">
<div class="form-group">
<label for="naam">Naam:</label>
<input type="text" class="form-control" id="naam" name="naam" placeholder="Naam" required="required">
</div>
<div class="form-group">
<label for="email">Email address:</label>
<input type="email" class="form-control" id="email" name="email" placeholder="Email" required="required">
</div>
<div class="form-group">
<label for="user_message">Bericht: </label>
<textarea id="user_message" name="user_message" rows="4" maxlength="250" placeholder="Je bericht" required="required"></textarea>
</div>
<div class="g-recaptcha" data-sitekey="sitekey" data-callback="enableBtn"></div>
<br>
<button type="submit" id="check_recaptcha" class="btn btn-default" disabled style="background-color: #80bfff; color: white;">Submit</button>
</form>
</div>
</body>
<script type="text/javascript">
function enableBtn(){
document.getElementById("check_recaptcha").disabled = false;
}
</script>
</html>
backend
<?php
include "../config.php";
include "../phpmailer.php";
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
if(isset($_POST['g-recaptcha-response']) && !empty($_POST['g-recaptcha-response']) && !empty($_POST['naam']) && !empty($_POST['email']) && !empty($_POST['user_message'])){
$secretKey = "secret";
$klant = $_POST['naam'];
$email = $_POST['email'];
$message = $_POST['user_message'];
$date = date("d-m-Y");
$verifyResponse = file_get_contents('https://www.google.com/recaptcha/api/siteverify?secret='.$secretKey.'&response='.$_POST['g-recaptcha-response']);
$responseData = json_decode($verifyResponse);
if($responseData->success){
$sql = "SELECT * FROM users";
$stmt = $conn->prepare($sql);
$stmt->execute();
$result = $stmt->get_result();
while ($row = $result->fetch_assoc()) {
$adminEmail = $row['email'];
$onderwerp = "contact formulier bericht";
$testbericht = "
Geachte heer/mevrouw,
<br>
<p>".$message."</p>
Met vriendelijke groet,
<br>
<br>
Klant: ".$klant."
<br>
Klantemail: ".$email."
<br>
Verzonden op: ".$date."";
mailen($adminEmail, $klant, $onderwerp, $testbericht);
}
$onderwerp = "Verzonden bericht";
$testbericht = "
Geachte ".$klant."
<br>
Dit is een kopie van het bericht dat u heeft gestuurd.
<br>
".$message."
<br>
Bericht is verstuurd op: ".$date."";
mailen($email, $klant, $onderwerp, $testbericht);
header('Location: code_invullen.php');
}
}else{
echo "<script>alert('please fill all fields ');</script>";
echo "<script>window.location.href = '../index.php';</script>";
}
}
?>
What I have tried:
So I added a extra dumb question in my new version but i'm afraid that bots can still get through that one
like a what is 2+2 question. idk if that protects it better. just need some tips
right now changes the url to
$verifyResponse = file_get_contents('https://www.google.com/recaptcha/api/siteverify?secret='.$secretKey.'&response='.$_POST['g-recaptcha-response']."&remoteip=".$_SERVER['REMOTE_ADDR']);
again not sure if this protects it better I jsut know that the remoteIP works with the ip adress