Announcement

**SidFeyDesigns** · 10-29-21, 12:44 PM

Mike521w I just stumbled upon this thread and was thinking I could try to use your module to help protect our cart from protecting our site fraudulent bot "carding" by trying to prevent them from even adding something to the cart.

Already have reCaptcha v3 set up and installed your module using ADPR in the action list and 0.3 as the tolerance level.

On the PROD page I added this inside the add to cart form:

Code:

<input type="hidden" name="GoogleReCaptchaResponse" value="">

And this directly after the form element:

Code:

[script src="https://www.google.com/recaptcha/api.js?render=our_site_key"][/script]
[script]
grecaptcha.ready(function() {
grecaptcha.execute('our_site_key', {action: 'Add2Cart'}).then(function(token) {
jQuery("#js-purchase-product input[name='GoogleReCaptchaResponse']").val(token);
});
});
[/script]

It works great as long as the customer adds a product to the cart before the token expires which I believe is 2 minutes.

I would assume a fix for that would be to run the recaptcha function with on submit or on click.

But it gets tricky (for me at least). Since this form uses an ajax add to cart function I also need it to run the recaptcha function again so a new token is given on the next attempt to add the same product to the cart again.

I can send the ajax code privately since it will not let me post here.

Any help would be greatly appreciated.

Not opposed to hiring someone to help with this either.

**Mike521w** · 11-30-21, 06:48 AM

Hi @sidFeyDesigns, sorry for the delayed response, it's been a while since I logged in.

Your setup sounds good to me. I agree, if your customer looks at the product page for a while before adding to cart, then the token will expire. The solution would be to run the `grecaptcha.execute()` on form submit.

This should still work even if you're using ajax to submit the form, and the customer might re-submit the same form later. For example maybe something like:

Code:

[script]
let handleButtonClick = event => {
    event.preventDefault();
    grecaptcha.execute('our_site_key', {action: 'Add2Cart'}).then(function(token) {
        jQuery("#js-purchase-product input[name='GoogleReCaptchaResponse']").val(token);

        //proceed with add to cart ajax here, maybe something like:
        jQuery.ajax( jQuery("#js-purchase-product").attr("action"), jQuery("#js-purchase-product").serialize(), response=>{
            //do something with the response
        });
    });
};
[/script]
<button type="submit" onClick="handleButtonClick">Submit</button>

I just wrote this off the top of my head, syntax etc may be wrong and I'm not sure about the setup for jQuery.ajax, I could have things reversed. But anyway that's a general idea

**sami** · 06-20-22, 01:13 PM

Hi @Mike521w! Thank you for creating this module, I have been trying to get reCaptcha set up on my forms for a while now and this is the closest I've come.

I only dabble in development, but I'm trying to implement this on my ICSQ form on my LOGN page and I'm not getting it to work.

I have my API keys, set to reCaptcha v3. My form has the ID="ICSQ". Here is my code:

[script src="https://www.google.com/recaptcha/api.js?render=ABCDEFG"][/script]
[script type="text/javascript"]
function onClick(e) {
e.preventDefault();
grecaptcha.ready(function() {
grecaptcha.execute('ABCDEFG', {action: 'homepage'}).then(function(token) {
jQuery("#ICSQ input[name='GoogleReCaptchaResponse']").val(token);
});
});
}
[/script]

and in my form:

[input name="GoogleReCaptchaResponse" value="" type="hidden" required aria-required="true"]

And then in the module I have it set to monitor ICSQ, and have played with lots of tolerances but I can't get it to let me pass through the form without a 403 no matter if I set to the tolerance as low as 0 or 0.01. I get a 403 no matter what.

I was also able to view the module code and can see where it sets the return page to 403 - I was thinking I'd like to set this to my 404 page instead. Is that a bad idea? Any assistance would be appreciate!

Thank you,
Sami

**mstella1** · 07-07-22, 06:41 AM

Hi,

Posting this for anyone else that is struggling with bots and fake form submissions. I have been using a random math equation for years and obviously they figured out a way around it. The number of submissions was getting to be a lot of work for us to sort through all day. All I did was remove the + sign in the form that is in html, replaced it with an image of a plus sign. Named it "minus.gif" and changed the alt to alt="-". That worked for me and instead of 20+ submissions an hour we have not received one fake submission.

Hope that helps anyone looking for something quick and simple.

Mike

**RaguTom** · 03-17-23, 10:37 AM

Sorry to bubble this one to the top again. I am getting a ton of fake creations on a daily basis.

Mike521w and others,
Does anyone know if the module is still working? When I enable it, every request is shuffled to the 403 page.

Possibly I am doing something wrong with my utilization? I have added the MVC and it appears in System Extensions. I set the site and secret keys. For now, I set watched page to LOGN at .3.
On the LOGN page, I put the JS with the site key embedded, towards the end, but still within the </HTML> tag. In the login form, I put the hidden GoogleReCaptchaResponse line, right under the hidden Action LOGN line.
It is probably important to add that on the reCAPTCHA admin console, I am not seeing any hits when I try to login.

Tom

Announcement

Someone is creating new fake customers accounts

Comment

Comment

Comment

Comment

Comment