Back to Blog
Attack Prevention

Using hCaptcha with PHP

June 2, 2019

Share
Want to integrate hCaptcha on a site with PHP? It only takes a few seconds.

Step 1: Sign up on hCaptcha.com

You’ll need your “site key” and “secret” in order to proceed.

Click the “Sign Up Now” button on hCaptcha.com to sign up

Step 2: Add hCaptcha to your site HTML.

A. Add the JavaScript library to your page, for example in the <HEAD> or <BODY> block.

<script src='https://www.hCaptcha.com/1/api.js' async defer></script>

B. Add this HTML code where you want to show the hCaptcha button, for example inside a login form. Remember to replace “your_site_key” with your actual site key!

<div class="h-captcha" data-sitekey="your_site_key"></div>

Step 3: Validate the result on your backend server.

In order to confirm the user sent you a real passcode, and in order to get credited for the answer, you must check the result from your server while providing your secret.

The simplest way to do this with PHP is something like the following. Remember to replace “your_secret_key” with your actual secret!

if you prefer the cURL style, you could use:

We do not suggest using a GET request with URL parameters, like this:

As this may break now or in the future due to the length of the URL.

.. and you’re done!

FAQ

Q: How do I know if it’s working?

A: You’ll see the “served” / “solved” / “verified” counters on your hCaptcha.com dashboard go up.

Served when captcha is being shown to users, solved when somebody solved the challenge and verified once you successfully send the hCaptcha token the user gave you to siteverify.

If you don’t see “verified” going up after making your backend call, make sure that you are sending the siteverify request correctly.

Q: How do I prevent the user from submitting a form to my server without a valid hCaptcha response?

$("form").submit(function(event) { var hcaptchaVal = $('[name=h-captcha-response]').value; if (hcaptchaVal === "") { event.preventDefault(); alert("Please complete the hCaptcha"); } });

Q: What does a complete PHP contact form example look like?

A: here’s a complete example. Put this in contact-form.php and add your secret and site key.

<?php if(isset($_POST['submit'])): if(isset($_POST['h-captcha-response']) && !empty($_POST['h-captcha-response'])): // get verify response $data = array( 'secret' => "my-secret (REPLACE THIS VALUE WITH YOUR SECRET)", 'response' => $_POST['h-captcha-response'] ); $verify = curl_init(); curl_setopt($verify, CURLOPT_URL, "https://hcaptcha.com/siteverify"); curl_setopt($verify, CURLOPT_POST, true); curl_setopt($verify, CURLOPT_POSTFIELDS, http_build_query($data)); curl_setopt($verify, CURLOPT_RETURNTRANSFER, true); $verifyResponse = curl_exec($verify); $responseData = json_decode($verifyResponse); $name = !empty($_POST['name'])?$_POST['name']:''; $email = !empty($_POST['email'])?$_POST['email']:''; $message = !empty($_POST['message'])?$_POST['message']:''; if($responseData->success): //contact form submission code $to = 'your@email.com'; $subject = 'New contact form has been submitted'; $htmlContent = " <h1>Contact request details</h1> <p><b>Name: </b>".$name."</p> <p><b>Email: </b>".$email."</p> <p><b>Message: </b>".$message."</p> "; // Always set content-type when sending HTML email $headers = "MIME-Version: 1.0" . "\r\n"; $headers .= "Content-type:text/html;charset=UTF-8" . "\r\n"; // More headers $headers .= 'From:'.$name.' <'.$email.'>' . "\r\n"; //send email @mail($to,$subject,$htmlContent,$headers); $succMsg = 'Your contact request has been submitted successfully.'; $name = ''; $email = ''; $message = ''; else: $errMsg = 'hCaptcha verification failed. Please try again.'; endif; else: $errMsg = 'Please click on the hCaptcha button.'; endif; else: $errMsg = ''; $succMsg = ''; $name = ''; $email = ''; $message = ''; endif; ?> <html> <head> <title>Using hCaptcha with PHP</title> <script src="https://www.hCaptcha.com/1/api.js" async defer></script> </head> <body> <div> <h2>Contact Form</h2> <?php if(!empty($errMsg)): ?><div class="errMsg"><?php echo $errMsg; ?></div><?php endif; ?> <?php if(!empty($succMsg)): ?><div class="succMsg"><?php echo $succMsg; ?></div><?php endif; ?> <div> <form action="" method="POST"> <input type="text" class="text" value="<?php echo !empty($name)?$name:''; ?>" placeholder="Your full name" name="name" > <input type="text" class="text" value="<?php echo !empty($email)?$email:''; ?>" placeholder="Email adress" name="email" > <textarea type="text" placeholder="Message..." required="" name="message"><?php echo !empty($message)?$message:''; ?></textarea> <div class="h-captcha" data-sitekey="<YOUR-SITE-KEY>"></div> <input type="submit" name="submit" value="SUBMIT"> </form> </div> <div class="clear"> </div> </div> </body> </html>

Subscribe to our newsletter

Stay up to date on the latest trends in cyber security. No spam, promise.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Back to blog

Announcements

Our Position on AI Regulation

There is currently substantial interest in directly regulating the development and availability of AI, rather than its applications. Here is our position.

August 27, 2024

Security Strategy

Why Classic Browser Fingerprinting No Longer Stops Bots

Browser fingerprinting, once a powerful tool, is now thwarted by privacy-focused browsers and advanced evasion tactics, making it largely obsolete for identifying threat actors.

July 16, 2024

Attack Prevention

Passkeys Offer Both Benefits and New Attack Surfaces

Be careful when implementing passkeys. They can offer a more secure alternative to passwords when implemented correctly, but provide many ways for implementers to shoot themselves in the foot.

March 12, 2024