Welcome to a tutorial on how to create a simple PHP contact form with Google reCaptcha. So you want to put a contact form on your website, but are worried about spam? Well, let us walk through the steps to create a PHP contact form, and add Google reCaptcha to secure it – Read on!
TABLE OF CONTENTS
Download & Notes
PHP Contact Form
Extras
The End
DOWNLOAD & NOTES
Here is the download link to the example code, so you don’t have to copy-paste everything.
EXAMPLE CODE DOWNLOAD
Just click on “download zip” or do a git clone. I have released it under the MIT license, so feel free to build on top of it or use it in your own project.
SORRY FOR THE ADS...
But someone has to pay the bills, and sponsors are paying for it. I insist on not turning Code Boxx into a "paid scripts" business, and I don't "block people with Adblock". Every little bit of support helps.
Buy Me A Coffee Code Boxx eBooks
PHP CONTACT FORM
All right, let us now get started with the PHP contact form.
TUTORIAL VIDEO
STEP 1) REGISTER AT GOOGLE RECAPTCHA
1A) ADD YOUR SITES
Go to the Google reCAPTCHA admin panel, and simply register your website. Please take note that if you want to test the captcha on your local server, you have to add localhost and/or 127.0.0.1 (IPv4) ::1 (IPv6) into the domains list.
1B) GET THE KEYS
When you are done with the registration, Google will throw you a site key and secret key. Don’t have to copy them down on a piece of paper… We can always check back in the admin panel to get them later. 😆
STEP 2) HTML CONTACT FORM
<!-- (A) GOOGLE RECAPTCHA API -->
<script src="https://www.google.com/recaptcha/api.js"></script>
<!-- (B) PROCESS + NOTIFICATIONS -->
<?php
if (isset($_POST["name"])) {
require "3-process.php";
echo "<div id='notify'>$status</div>";
}
?>
<!-- (C) CONTACT FORM -->
<form id="cform" method="post">
<label>Name</label>
<input type="text" name="name" required>
<label>Email</label>
<input type="email" name="email" required>
<label>Message</label>
<textarea name="message" required></textarea>
<!-- (D) CAPTCHA - CHANGE SITE KEY! -->
<div class="g-recaptcha" data-sitekey="SITE KEY"></div>
<input type="submit" value="Submit">
</form>
This may seem pretty intimidating to some beginners, but keep calm and look closely.
- Load the reCaptcha Javascript library.
- This part will run only when the contact form is submitted. Using
3-process.phpto verify the captcha, and send the contact form via email. - Self-explanatory. The contact form itself.
- Where you want the captcha to be at. Remember to insert the site key.
That’s all for the HTML form.
STEP 3) PHP PROCESSING
<?php
// (A) PROCESS STATUS
$status = "";
// (B) VERIFY CAPTCHA
$secret = "SECRET KEY"; // CHANGE TO YOUR OWN!
$url = "https://www.google.com/recaptcha/api/siteverify?secret=$secret&response=".$_POST["g-recaptcha-response"];
$verify = json_decode(file_get_contents($url));
if (!$verify->success) { $status = "Invalid captcha"; }
// (C) SEND MAIL
if ($status=="") {
$mailTo = "admin@site.com"; // CHANGE TO YOUR OWN !
$mailSubject = "Contact Form";
$mailBody = "";
foreach ($_POST as $k=>$v) {
if ($k!="g-recaptcha-response") { $mailBody .= "$k: $v\r\n"; }
}
if (@mail($mailTo, $mailSubject, $mailBody)) { $status = "OK"; }
else { $status = "Failed to send mail"; }
}
echo $status;
This should not be much of a mystery… We are just sending the captcha and secret key to the reCaptcha server for validation. Thereafter, send the submitted contact form out via email.
EXTRA) AJAX FORM SUBMISSION
// (B1) GET FORM DATA - APPEND RECAPTCHA RESPONSE
var data = new FormData(document.getElementById("cform"));
data.append("g-recaptcha-response", grecaptcha.getResponse());
// (B2) AJAX FETCH
fetch("3-process.php", { method: "POST", body: data })
.then(res => res.text())
.then(txt => {
// DO SOMETHING AFTER FORM SUBMISSION
console.log(txt);
});
How about submitting the form via AJAX? Simply append g-recaptcha-response: grecaptcha.getResponse() to the data, and POST to the server as usual.
EXTRAS
Finally, here are a few extra bits and links that may be useful to you.
WHY NOT RECAPTCHA V3?
Please take note that reCaptcha V3 works in a different manner. It is completely “silent”, no image challenge will be shown to the user, and the scripts will give you a score as to how likely the user is a bot. Sounds magical, but I personally don’t quite like the idea of it.
This very likely involves machine learning and data capturing. I.E. Data is captured on how the user interacts with your website. The score is then calculated based on a comparison against how other users usually interact with your website, and probably with other similar websites too. So, just nope. I rather stick with the “low-tech” image challenge.
SECURITY STRENGTH
If you are still getting a lot of spambot messages after implementing the captcha, you can change the security level. Go back to the Google reCAPTCHA admin panel, and turn the slider all the way to “most secure” under the advanced settings. Some users may get a more difficult captcha challenge, but it does filter out a lot of unwanted spam.
LINKS & REFERENCES
- Google reCAPTCHA home page
- Official Google reCAPTCHA developer’s guide
- PHP PDO
- PHP Mail
- Mail not sending out? Here’s how to fix it – Code Boxx
THE END
Thank you for reading, and we have come to the end of this short tutorial. I hope it will help you to fight off some nasty spam on your website, and if you have stuff you wish to add to this guide, please feel free to comment below. Good luck and happy coding!
My form is currently being spammed with bots bypassing the captcha challenge using the Google speech to text api: =LINK REMOVED=
Do you have a solution for that?
Sorry, I cannot offer free security consultations. But a quick word of advice – No point trying to implement a software solution on your own, unless you want to be a security expert. A firewall, spam filter, honeypot, and plenty of anti-spambot services are your best bets.
https://code-boxx.com/faq/#help “Help on a deeper level”
Thanks Toh for the reply. I tried to modify but still not getting the results. I’m not an expert but I’m sure if you looked at it, you can easily fix the errors. Please help. Thanks!
= CODE REMOVED =
Went back to memory lane a little, not quite sure if this is what you want, set the “email from” to whatever the user enters in the contact form –
mail($mailTo, $mailSubject, $mailBody, "From: " . $_POST['email']);Not recommended for security reasons though.Otherwise, can’t help fix your personal project any further… Try hiring a freelancer if still unsure, or seek help from other programming forums – Good luck.
https://code-boxx.com/faq/#help “*INSERT CODE* Fix my project”
https://code-boxx.com/set-mail-from-php/
Hi, can you modify the code where the email address is displayed in the From header? When I receive the form submission, the emails in my inbox are not showing the sender’s name and email address. Thanks.
https://stackoverflow.com/questions/10741165/php-mail-function-from-address
Can you please explain.
1) I have done -> STEP 1) REGISTER SITE AT GOOGLE RECAPTCHA
2) I have done -> Insert the site key into 2-form.php and secret key into 3-process.php.
3) I have done -> Change $mailTo to your own in 3-process.php.
4) I have copied the code from 2-form.php onto my website page
5) Now what? What do I do with the file 2-form.css???? Do I upload it somewhere using cPanel File Manager????
6) What do I do with the file 3-process.php ??? Do I copy the copy the code onto the same page as 2-form.php OR do I upload the whole file 3-process.php with using cPanel File Manager???? — If so where????
If you have zero knowledge of web development – I will highly recommend getting a freelancer to help instead (or see if other forums are willing to help with your personal webpage). Not sponsored, but try Peopleperhour or Upwork. Good luck.
https://code-boxx.com/faq/#help “Explain Everything”
Thank you so much! Very nice form, and easy to implement.
I’m using the non-ajax implementation and wonder why after submission the page reloads to the top? My “success message” is displayed, but since my form is at bottom of website a user would have to scroll all the way back down to see success message. Thank you.
You are missing out on the basics… -_- A traditional HTML form submission will load/reload the page. Use AJAX or FETCH if you don’t want to reload the page.
https://www.tutorialspoint.com/html/html_forms.htm
https://code-boxx.com/submit-form-without-refreshing-page/