开发者

validate reCAPTCHA Key

I'm trying to figure out the best way to sanatize and validate a reCAPTCHA key. The problem is I don't have a lot of information on how they keys are formed. I think the best way may be just to chec开发者_运维技巧k to see if the string is 40 charicters long and contains letters,numbers,dashes, and underscores. Here's the infomation I have from the documntations.

invalid-site-public-key: Did you make sure to copy the entire key, with all hyphens and underscores, but without any spaces? The key should be exactly 40 letters long. Source

My public key looks like this 6Ler570SAAAAAOfjh3CNFPtuBSH_QdavHc5x_JUv I'm just worried about writing validation that is too strict and won't let some people use the plugin that I'm writing.

This is what I'm using now but not sure if there is a better way.

if( $recaptcha_public_key ) {
    //validate the key
        $recaptcha_public_key = filter_var($recaptcha_public_key, FILTER_VALIDATE_REGEXP, array("options"=>array("regexp"=>"/[0-9a-zA-Z_-]{40}/")));
    // Update value in database
    update_option( 'recaptcha_public_key', $recaptcha_public_key );
}

Thanks!


What you have ("/[0-9a-zA-Z_-]{40}/") is as strict as you're going to get. The point of the key is that it is random - if it conformed to a strict set of formatting rules it would be easy to crack.

Without analyzing a set of public keys, it's fair to assume that each character is completely random within the set [0-9a-zA-Z_-]. Even if this is assumption is incorrect and there is some more specific pattern, this would be likely to change at some point in the future so it's not a good idea to commit your application to the current pattern.


Why are you verifying it yourself? You aren't hitting your database with the information or displaying it on the page are you? If you are putting it on the page html encode it and that should prevent scripts form being run.

You should just send it off to the third party using http://www.google.com/recaptcha/api/verify and it will validate it (as it states in http://code.google.com/apis/recaptcha/docs/verify.html).


This seems to be perfect

if(preg_match('#^6[0-9a-zA-Z_-]{39}$#', $key)){
    // Valid key
}

These are the current conditions of the keys:

  • 40 characters
  • Start with a "6"
  • Only alphanumeric, underscore and dash characters
0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜