验证 reCAPTCHA 密钥
我正在尝试找出清理和验证 reCAPTCHA 密钥的最佳方法。问题是我没有太多关于它们的密钥如何形成的信息。我认为最好的方法可能只是检查字符串是否有 40 个字符长并且包含字母、数字、破折号和下划线。这是我从文档中获得的信息。
无效站点公钥:您是否确保复制整个密钥(包含所有连字符和下划线,但不包含任何空格)?密钥长度应正好为 40 个字母。 来源
我的公钥如下所示 6Ler570SAAAAAOfjh3CNFPtuBSH_QdavHc5x_JUv我只是担心编写的验证过于严格并且不会让某些人使用我正在编写的插件。
这是我现在正在使用的,但不确定是否有更好的方法。
if( $recaptcha_public_key ) {
//validate the key
$recaptcha_public_key = filter_var($recaptcha_public_key, FILTER_VALIDATE_REGEXP, array("options"=>array("regexp"=>"/[0-9a-zA-Z_-]{40}/")));
// Update value in database
update_option( 'recaptcha_public_key', $recaptcha_public_key );
}
谢谢!
I'm trying to figure out the best way to sanatize and validate a reCAPTCHA key. The problem is I don't have a lot of information on how they keys are formed. I think the best way may be just to check to see if the string is 40 charicters long and contains letters,numbers,dashes, and underscores. Here's the infomation I have from the documntations.
invalid-site-public-key: Did you make sure to copy the entire key, with all hyphens and underscores, but without any spaces? The key should be exactly 40 letters long. Source
My public key looks like this 6Ler570SAAAAAOfjh3CNFPtuBSH_QdavHc5x_JUv I'm just worried about writing validation that is too strict and won't let some people use the plugin that I'm writing.
This is what I'm using now but not sure if there is a better way.
if( $recaptcha_public_key ) {
//validate the key
$recaptcha_public_key = filter_var($recaptcha_public_key, FILTER_VALIDATE_REGEXP, array("options"=>array("regexp"=>"/[0-9a-zA-Z_-]{40}/")));
// Update value in database
update_option( 'recaptcha_public_key', $recaptcha_public_key );
}
Thanks!
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
您所拥有的 (
"/[0-9a-zA-Z_-]{40}/") 与您将获得的一样严格。关键在于它是随机的——如果它符合一组严格的格式规则,那么它很容易被破解。在不分析一组公钥的情况下,可以公平地假设该组
[0-9a-zA-Z_-]中的每个字符都是完全随机的。即使这个假设不正确并且存在一些更具体的模式,这也可能在将来的某个时候发生变化,因此将您的应用程序提交到当前模式并不是一个好主意。What you have (
"/[0-9a-zA-Z_-]{40}/") is as strict as you're going to get. The point of the key is that it is random - if it conformed to a strict set of formatting rules it would be easy to crack.Without analyzing a set of public keys, it's fair to assume that each character is completely random within the set
[0-9a-zA-Z_-]. Even if this is assumption is incorrect and there is some more specific pattern, this would be likely to change at some point in the future so it's not a good idea to commit your application to the current pattern.为什么要自己去验证?您没有使用信息访问数据库或将其显示在页面上,是吗?如果您将其放在页面上,请对其进行 html 编码,这应该会阻止脚本运行。
您应该使用 http://www.google.com/recaptcha/ 将其发送给第三方api/verify ,它将验证它(如 http: //code.google.com/apis/recaptcha/docs/verify.html)。
Why are you verifying it yourself? You aren't hitting your database with the information or displaying it on the page are you? If you are putting it on the page html encode it and that should prevent scripts form being run.
You should just send it off to the third party using http://www.google.com/recaptcha/api/verify and it will validate it (as it states in http://code.google.com/apis/recaptcha/docs/verify.html).
这似乎很完美
这些是键的当前条件:
人物
This seems to be perfect
These are the current conditions of the keys:
characters