CODEWITHSUNDEEP
djangoformsrecaptcha
CL. L
CL. L

Reputation: 257

Can Google reCaptcha Validation Fail?

I am asking a theoretical and perhaps stupid question here, however I really want to know the answer. Now I am using Django to write a website with Google reCaptcha to prevent spam in filling the form. I have set a js to avoid skipping Google reCaptcha so that every submission will show the message that "I am not a robot".

My question is, if on the form the submission has already been proved not by spam (as not the robot), then why I have to write syntax at views.py to validate the Google reCaptcha with secret key matching the site key? Under what situation could the submission by spam pass the Google reCaptcha and not by the validation at the backend?

I attach my code if you would like to take reference of what I am doing, though it's a purely theoretical question. Thanks a lot.

template:

<form id="contact_form" class="form-horizontal" method="post" action="{% url 'contact' %}">
    {% csrf_token %}



<div class="form-group">
    <span id="name_err" style="color:red; bold: false; font-size:1vw; padding-left:1vw; display:none">Please enter your name</span>
    <label class="control-label col-sm-2" for="name">Name:</label>
    <div class="col-sm-10">
        <input type="text" class="form-control" id="name" name="name" placeholder="Enter name here">
    </div>
</div>
<script src='https://www.google.com/recaptcha/api.js'></script>
<div style="padding-left: 11vw;" class="g-recaptcha" data-sitekey="xxx"></div><br>
<div style="padding-left: 11vw;" id="submit-div"><input type="submit" value="post" class="btn btn-primary"></div>

views.py

if request.method == 'POST':

contact_name = request.POST.get('name')
contact_email = request.POST.get('email')
contact_subject = request.POST.get('subject')
contact_message = request.POST.get('message')
recaptcha_response = request.POST.get('g-recaptcha-response')

url = 'https://www.google.com/recaptcha/api/siteverify'
values = {
    'secret': settings.GOOGLE_RECAPTCHA_SECRET_KEY,
    'response': recaptcha_response
}            
data = urllib.parse.urlencode(values).encode()
req =  urllib.request.Request(url, data=data)
response = urllib.request.urlopen(req)
result = json.loads(response.read().decode())
''' End reCAPTCHA validation '''

Upvotes: 0

Views: 471

Answers (1)

Marshall Asch
Marshall Asch

Reputation: 110

I'm not entirely sure what you are asking but, you are validating that the response is valid for your webpage, the user could have gotten a reCaptcha response from another server then inserted that into your form submission.

The recaptcha_response might be a valid response but not for your site, thats what you are checking. I hope that helps.

Upvotes: 1

Related Questions