BandonRandon BandonRandon - 19 days ago 5
PHP Question

validate reCAPTCHA Key

I'm trying to figure out the best way to sanatize and validate a reCAPTCHA key. The problem is I don't have a lot of information on how they keys are formed. I think the best way may be just to check to see if the string is 40 charicters long and contains letters,numbers,dashes, and underscores. Here's the infomation I have from the documntations.


invalid-site-public-key: Did you make sure to copy the entire key, with all hyphens and underscores, but without any spaces? The key should be exactly 40 letters long. Source


My public key looks like this
6Ler570SAAAAAOfjh3CNFPtuBSH_QdavHc5x_JUv
I'm just worried about writing validation that is too strict and won't let some people use the plugin that I'm writing.

This is what I'm using now but not sure if there is a better way.

if( $recaptcha_public_key ) {
//validate the key
$recaptcha_public_key = filter_var($recaptcha_public_key, FILTER_VALIDATE_REGEXP, array("options"=>array("regexp"=>"/[0-9a-zA-Z_-]{40}/")));
// Update value in database
update_option( 'recaptcha_public_key', $recaptcha_public_key );
}


Thanks!

Answer

What you have ("/[0-9a-zA-Z_-]{40}/") is as strict as you're going to get. The point of the key is that it is random - if it conformed to a strict set of formatting rules it would be easy to crack.

Without analyzing a set of public keys, it's fair to assume that each character is completely random within the set [0-9a-zA-Z_-]. Even if this is assumption is incorrect and there is some more specific pattern, this would be likely to change at some point in the future so it's not a good idea to commit your application to the current pattern.

Comments