Recaptcha documentation unclear - and cross-site error testing it

Maybe this post will be helpful , as it shows exact code snippets from both backend , and frontend prespectives :

http://www.codedodle.com/2014/12/google-new-recaptcha-using-javascript.html

Php Code :

if ($_SERVER['REQUEST_METHOD'] === 'POST') {
    // Construct the Google verification API request link.
    $params = array();
    $params['secret'] = 'Your secret key here.'; // Secret key
    if (!empty($_POST) && isset($_POST['g-recaptcha-response'])) {
        $params['response'] = urlencode($_POST['g-recaptcha-response']);
    }
    $params['remoteip'] = $_SERVER['REMOTE_ADDR'];

    $params_string = http_build_query($params);
    $requestURL = 'https://www.google.com/recaptcha/api/siteverify?' . $params_string;

    // Get cURL resource
    $curl = curl_init();

    // Set some options
    curl_setopt_array($curl, array(
        CURLOPT_RETURNTRANSFER => 1,
        CURLOPT_URL => $requestURL,
    ));

    // Send the request
    $response = curl_exec($curl);
    // Close request to clear up some resources
    curl_close($curl);

    $response = @json_decode($response, true);

    if ($response["success"] == true) {
        echo '<h3 class="alert alert-success">Login Successful</h3>';
    } else {
        echo '<h3 class="alert alert-danger">Login failed</h3>';
    }
}

From what you're saying it looks like your main problem is that you're verifying the user's response in the user's browser rather than on the server. Is that true?

Just to clarify, what happens is...

• You show the recaptcha widget in your client form.
• The user fills it in.
• The widget does some clever stuff and your client now has a response_string, available in your form as field g-recaptcha-response (you can also get it using the other two javascript methods they mention).
• When the user submits the form, make sure the server receives the response_string along with all your other form data.
• On the server you have to make a request to https://www.google.com/recaptcha/api/siteverify . How you do this will depend on the language you're using on the server. Should be easy. You'll get a response saying if the user got the captcha right or not.