Is it wrong to parse the verification from Google?

Question

I used the script from here to do the verification.

The $result === FALSE condition was being bypassed regardless of me clicking on the re-captcha validation on my form.

So I decided to manually parse it like so:

The return looks like this if a failure:

{
 "success":false,
 "error-codes":[
  "missing-input-response"
 ]
}

And if it's success it looks similar but some additional things are attached, but the main thing I targeted was the string "success":true,

With this part of the script directly below the $result variable:

$result_copy = $result;
// remove white spaces everywhere
$mod_res_copy = preg_replace('/\s+/', '', $result_copy);
$success_string = '"success":true';
if(strpos($mod_res_copy, $success_string) !== false) {
    $status = "ok";
}else {
    $status = "not-ok";
}
if ($status == "not-ok") {
    echo "Please complete the captcha to prevent spam.";
    exit;
}else {
    // trigger database insert of comment or whatever
}

What I want to know is, is this wrong? Can this be spoofed? I'm using PHP as my server-side scripting language.

Answer 1

You are doing way more work than you need, to parse $result.
It is in JSON format, so this is all you need:

$status = json_decode($result)->success ? 'ok' : 'not-ok';