From reCAPTCHA Wiki

Frequently asked questions about reCAPTCHA

Contents 1 Integration 1.1 How do I integrate reCAPTCHA with my PHP form handling code? 1.2 Can I use reCAPTCHA in static HTML files? 1.3 Can I internationalise the reCAPTCHA challenge itself? 2 Non-Javascript 2.1 I'm testing non-JS version and getting "You are at this page because..." 3 Troubleshooting 3.1 It's not working! Help! 3.2 I keep getting "verify-params-incorrect" when developing with Windows Vista 3.3 reCAPTCHA is accepting incorrect words 3.4 reCAPTCHA accepts anything I type 4 Other 4.1 Can I delete a key/all keys/a site/my account

Integration

How do I integrate reCAPTCHA with my PHP form handling code?

See How to integrate reCAPTCHA for a worked example.

Can I use reCAPTCHA in static HTML files?

Not if all you have are static HTML files - you require a server-side scripting language to verify the reCAPTCHA after it has been submitted by your users. This verification cannot be done in static HTML using Javascript or any other client-side language.

If you want reCAPTCHA you require either knowledge of a server-side language or a web application (examples of both may be found at http://recaptcha.net/resources.html,) and a hosting provider that will allow you to use it.

Can I internationalise the reCAPTCHA challenge itself?

Not yet. It is being looked into however - see http://groups.google.com/group/recaptcha/browse_thread/thread/e3c63ca13ab5f17d?hl=en

Non-Javascript

I'm testing non-JS version and getting "You are at this page because..."

If you are getting the message:

You are at this page because you loaded the JavaScript free version of reCAPTCHA, but it looks like you have JavaScript. We need to prevent this for security reasons. If you are testing out the JavaScript-free version, turn off JavaScript in your browser.

it means that reCAPTCHA has detected that your browser can handle some Javascript, but for some reason will not accept reCAPTCHA. This is typical of using (e.g.) NoScript in FireFox to selectively disable JS on a site by site basis.

Follow the instructions in the message and turn off JS totally in your browser for the duration of your testing.

Do not assume that turning off JS means simply doing this (in IE6 and IE7): Tools > Internet Options > Security > Custom level > Scripting > Active scripting > Disable. By default, this will only turn off JS in your Intranet zone, which means that the page containing the recaptcha widget will have JS turned off; but the page loaded into the iframe between the noscript tags will still have JS turned on, hence you will get the abovementioned message.

To turn off JS totally in this case, select the Internet zone (under Tools > Internet Options > Security) and then choose Custom level > Scripting > Active scripting > Disable as was done for the Intranet zone.

Troubleshooting

It's not working! Help!

Before doing anything else make sure you're using the correct keys. Are your public and private keys swapped? Did you remember to put the private key in the form handler as well as putting the public key in the form?

Note that Mailhide uses different keys from the main form based reCAPTCHA.

Be sure that your form uses the POST method, or else change the reCAPTCHA form handler variables to GET instead of POST.

I keep getting "verify-params-incorrect" when developing with Windows Vista

Vista defaults to IPV6 for localhost and the IP of the browser on localhost will be sent to reCAPTCHA as "0:0:0:0:0:0:0:1". You must test for this and change it to "127.0.0.1" during development.

reCAPTCHA is accepting incorrect words

reCAPTCHA consists of two words a verification word, which the reCAPTCHA server knows the answer to and a read word which comes from an old book. The read word is not graded (since the server is using human guesses to figure out the answer). As such, this word can be entered incorrectly, and the CAPTCHA will still be valid. Each read word is sent to multiple people, so incorrect solutions will not affect the output of reCAPTCHA.

On the verification word, reCAPTCHA intentionally allows an "off by one" error depending on how much we trust the user giving the solution. This increases the user experience without impacting security. reCAPTCHA engineers monitor this functionality for abuse.

reCAPTCHA accepts anything I type

You probably aren't validating the reCAPTCHA with the API servers.

Other

Can I delete a key/all keys/a site/my account

No.

Since your's is the only site that can use those keys, no-one else can use them. Simply stop using them. Leaving them 'on the system' as it were, does no harm.

If you're having perceived problems because, for example you've created keys for www.example.com and example.com (without the www) and you want www.example.com to be 'deleted' because you're having issues with authentication, simply remove all keys from your code that refer to the the www.example.com - your example.com keys should work with www.example.com.