recaptcha completely ignored

[Randall Holbrook]

I have a basic html form on a site hosted at GoDaddy.
I placed the two pieces of code on the form page (one in the header, one in the form just above <input type="submit" name="submit" value="Send">.

I tested the form and filled out the recaptcha, the submission processed and I received the email with the g-recaptcha-response: field. All seems well.

However, I can ignore the recaptcha completely and hit submit and the form goes through, and so do the bots!

I did not do any of the server-side instruction, as Godaddy has the mailform locked up and is inaccessible for one, and it didn't matter to me to get verification for the users.

How does this stop bots?

thanks!

[stu...@cebemedia.com]

I am having the same issue. 

The recaptcha seems to work fine for my Contact form when checked, but it can also be bypassed.  Users or bots can simply bypass the recaptcha node and submit the Contact form without checking the box.


I have the following code installed on the page (have not done any other coding for this):
   
    <script src="https://www.google.com/recaptcha/api.js" async defer></script>
       
    </head>

...

     <div class="g-recaptcha" data-sitekey="MYSITEKEYISHERE"></div>
     <br />
     <input type="submit" value="SEND" class="btn btn-orange pull-left" />


Hopefully someone knows what we did wrong (or missed) and how to correct this.

[kh99]

If you want to stop the form from submitting unless the box is checked, you need to add some javascript.  If you did only that, it would appear to work, and you might get protection from bots, but it would be simple to bypass if someone chose to. To benefit from the full security available, you need to verify the response in a server script.

[kh99]

Actually I take that back, you probably wouldn't get any protection from bots since all they have to do is *not* run the javascript you add. You really need to validate the response on the server to get any protection.

[Randall Holbrook]

Thanks for the input.