Anti Spam php issues

Question

So I am having issues with a custom PHP contact form blocking spam mail to be sent. I have added the Google ReCaptcha and also added a function to check if a hidden field has been filled in then do not send the message. But my client is still receiving Spam mail. The client also recently migrated code from HubSpot and am wondering if there may be something that was built in the widgets I am missing. I am new at PHP so please forgive any rookie mistakes :). Thanks in advance for any help!

HTML FORM:

<div class="contact-form">
<form id="contact-form" method="post" action="contact-form-handler.php">
<input name="companyname" type="text" id="companyName" placeholder="  Company Name" required>

<input name="name" type="text" id="contactName" placeholder="  Contact Person" required>

<input name="email" type="email" id="Email" placeholder="  Your Email" required>

<p class="antispam">Leave this empty: <input type="text" name="url" /></p>

<input type="tel" id="Phone" name="Phone" placeholder="  Phone Number" required>

<textarea name="message" class='form-control' placeholder="  Write your message here..." style="white-space:pre-wrap; height:200px;width:500px;" row="4" required></textarea>

<div class="g-recaptcha" data-sitekey="6LcqLWkUA2AAADEMnsD4sZEj4BqmqGhx8CN5Hhqf" data-callback="recaptcha_callback"></div>

<input type="submit" id="submit_btn" name="submit_form" value="SEND MESSAGE" onclick="myFunction()" disabled>

</form>
</div>

PHP Handler

   if (isset($_POST['submit_form'])) {
        $name = $_POST['name'];
        $secretKey = "6LcqLWkUAAAAAOG_Z9lpScLz0nftfFoYgpENfwDp";
        $responseKey = $_POST['g-recaptcha-response'];
        $userIP = $_SERVER['REMOTE_ADDR'];

        $url = "https://www.google.com/recaptcha/api/siteverify?secret=$secretKey&response=$responseKey&remoteip=$userIP";
        $response = file_get_contents($url);
        $response = json_decode($response);

        if ($response->success)
            echo "Verification success. Your name is $name";
        else 
            echo "Verification Failed";
    }

    $public_key = "6LcpmGgUAAAAAI6O2SQv1TdYu9z9yzmXclU2-rzu";
    $private_key = "6LclmGgUAA2AALd9pZTaOzOV4tThdZNLeJ56WNno";
    $reCaptchaUrl = "https://www.google.com/recaptcha/api/siteverify?secret=$secretKey&response=$responseKey&remoteip=$userIP";

    $companyname = $_POST['companyname'];
    $name = $_POST['name'];
    $url = $_POST['url'];
    $email = $_POST['email'];
    $phone = $_POST['Phone'];
    $message = $_POST['message'];

    /* Check if the form has been submitted */
    if(array_key_exists('submit_form',$_POST))
    {
        /* The response given by the form being submitted */
        $response_key = $_POST['g-recaptcha-response'];
        /* Send the data to the API for a response */
        $response = file_get_contents($url.'?secret='.$private_key.'&response='.$response_key.'&remoteip='.$_SERVER['REMOTE_ADDR']);
        /* json decode the response to an object */
        $response = json_decode($response);

        /* if success */
        if($response->success == 1)
        {
            echo "You passed validation!";
        }
        else
        {
            echo "You are a robot and we don't like robots.";
        }

        // if the url field is empty 
        if(isset($_POST['url']) && $_POST['url'] == ''){
        // then send the form to your email
         mail( 'danmeier513@gmail.com', 'danielstevenmeier@gmail.com', 'Contact Form', print_r($_POST,true) ); 
        } 
        // otherwise, let the spammer think that they got their message through
    }

Answer 1

Ehm, a simple check: you have a line with the following content:

echo "You are a robot and we don't like robots.";

...after that line, you send the mail, regardless of the ReCaptcha check.

If the captcha check failed, you should immediately stop the script through something like exit or die. This might be a first step - probably, you should add some more logging to your code to debug this further if there is still spam coming through to your customer.