From 4d20ecd43ca28ce4c5097a758cfcb650137341a8 Mon Sep 17 00:00:00 2001
From: Jonas Leder <jonas@jonasled.de>
Date: Wed, 30 Dec 2020 23:02:45 +0100
Subject: [PATCH] added hcaptcha for comments

---
 public/internal/comments.php |  6 ++++--
 public/newComment.php        | 38 +++++++++++++++++++++++++++---------
 2 files changed, 33 insertions(+), 11 deletions(-)

diff --git a/public/internal/comments.php b/public/internal/comments.php
index 7a11f0a..cb15ec2 100644
--- a/public/internal/comments.php
+++ b/public/internal/comments.php
@@ -23,7 +23,7 @@ function getComments($article){
         }
     }
     echo(<<<EOF
-
+<script src='https://www.hCaptcha.com/1/api.js' async defer></script>
 <div id="newComment">
     <form action="/newComment.php" method="post">
         <label for="name">Name:</label><br>
@@ -34,7 +34,9 @@ function getComments($article){
 
         <label for="comment">Kommentar:</label><br>
         <textarea name="comment" id="comment"></textarea><br><br>
-
+        
+        <div class="h-captcha" data-sitekey="$sitekey"></div>
+        
         <input type="submit" value="Kommentar ver&ouml;ffentlichen"><br>
         <p>Mit dem klick auf den obigen Button erkl&auml;ren sie sich mit der <a href="/datenschutzerklaerung.html">Datenschutzerkl&auml;rung</a> einverstanden.</p>
     </form>
diff --git a/public/newComment.php b/public/newComment.php
index b68e19b..acb7b49 100644
--- a/public/newComment.php
+++ b/public/newComment.php
@@ -1,16 +1,36 @@
 <?php
 include("./internal/mysql.php");
 
-$ref = $_SERVER["HTTP_REFERER"];
-$article =  $conn->escape_string(explode(".php", explode("Projekte/", $ref)[1])[0]);
-$name = $conn->escape_string($_POST["name"]);
-$email = $conn->escape_string($_POST["email"]);
-$comment = $conn->escape_string($_POST["comment"]);
+$data = array(
+    'secret' => $secretkey,
+    'response' => $_POST['h-captcha-response']
+);
 
-$sql = "INSERT INTO comments (name, email, comment, article) VALUES ('$name', '$email', '$comment', '$article')";
+$verify = curl_init();
+curl_setopt($verify, CURLOPT_URL, "https://hcaptcha.com/siteverify");
+curl_setopt($verify, CURLOPT_POST, true);
+curl_setopt($verify, CURLOPT_POSTFIELDS, http_build_query($data));
+curl_setopt($verify, CURLOPT_RETURNTRANSFER, true);
+$response_ = curl_exec($verify);
+$responseData = json_decode($response_);
 
-if ($conn->query($sql) === TRUE) {
-    header("Location: $ref");
+
+
+if($responseData->success) {
+
+    $ref = $_SERVER["HTTP_REFERER"];
+    $article = $conn->escape_string(explode(".php", explode("Projekte/", $ref)[1])[0]);
+    $name = $conn->escape_string($_POST["name"]);
+    $email = $conn->escape_string($_POST["email"]);
+    $comment = $conn->escape_string($_POST["comment"]);
+
+    $sql = "INSERT INTO comments (name, email, comment, article) VALUES ('$name', '$email', '$comment', '$article')";
+
+    if ($conn->query($sql) === TRUE) {
+        header("Location: $ref");
+    } else {
+        echo "Error: " . $sql . "<br>" . $conn->error;
+    }
 } else {
-    echo "Error: " . $sql . "<br>" . $conn->error;
+    echo "Failed to verify captcha.";
 }
\ No newline at end of file