In Monday I deployed brand new version of website. There is contact form protected by Google ReCAPTCHA v2 Checkbox. Today I received first spam (preview attached).
I mean. How is this possible? Backend implementation of verification is as bellow, I believe it's not possible to successfully submit contact form without confirmation from Google.
But still, the spam arrived!
$name = $_POST['person__name'] ?? throw new InvalidArgumentException();
$phone = $_POST['person__phone'] ?? throw new InvalidArgumentException();
$email = $_POST['person__email'] ?? throw new InvalidArgumentException();
$message = $_POST['message'] ?? throw new InvalidArgumentException();
$type = $_POST['message__type'] ?? throw new InvalidArgumentException();
$captcha = $_POST['g-recaptcha-response'] ?? throw new InvalidArgumentException();
$url = sprintf(
'https://www.google.com/recaptcha/api/siteverify?secret=%s&response=%s',
urlencode('SECRET_RECAPTCHA_KEY'),
urlencode($captcha),
);
$response = json_decode(file_get_contents($url));
if ($response->success !== true) {
throw new InvalidArgumentException('Recaptcha');
}