drupal webforms and recaptcha

One of the great features of Drupal is that you can so easily extend its functionality with modules.

For example, the webform module allows you to gather information from users by creating forms using all available HTML form elements and then store these responses in a database and send an email. All without needing to write any PHP code.

One problem with forms on web pages though, is that spammers tend to find them very quickly and try to find vulnerabilities in them that allow them to use the form to send email about viagra and cheap rolex watches to any number of unsuspecting victims. Even if the form is not vulnerable, you'll still end up with hundreds or thousands of spam entries in the database and your email inbox. Very annoying.

Drupal has a solution for this too; the recaptcha module allows you to automatically place a widget on any form, that forces the user to enter two random words before the form can be submitted. It is very hard for software to decipher these words, so it makes the form useless for spammers.

When you create a form, its node ID is used to generate an identifier that you can add to the recaptcha administration page, so automatically have the captcha challenge added to your form. For instance, if your form node ID is 42, the identifier will be webform-client-form-42.

There is one slight issue though; if you try to enter this identifier in the captcha the admin page will say Illegal form_id. Not helpful.

It turns out that you need to convert all hyphens to underscores when you enter the form identifier. So instead of  webform-client-form-42 you enter webform_client_form_42.

And as if by magic, the spam stops! :-)


Just wanted to mention that this tip has saved me an incredible amount of time so thankyou -

Also works for ordinary drupal captcha
I have image captcha running fine.

Thanks again.

Just wanted to thank you for the easy to follow tip. Article was easy to find on Google, and ended up really helping out.

Just wanted to mention that it also helps to see the CAPTCHA by logging out first before viewing the page ;]

A million thankyou's ! This solved my problem.

Hi there!

Thanks for posting this. It's the little things that usually fox non developers like me when putting together a drupal site. I'd never have guessed that the - needed to be converted to _ ; and that made all the difference.

Cheers, Amigo!

I've since filed a patch to the captcha module to have it display a helpful message and in fact suggest the correct form_id if it finds hyphens and not underscores. Hopefully that'll go in soon.

Thanks for taking the time publish posts like this. However, I couldn't imagine a more difficult typeface to read on a screen. A big one at that.

In theory that should be "webform_client_form_7__2". Make sure you're testing that as a user who does not have permissions to bypass the captcha.

That's true! I tested using an admin account!
Thank you very much!

Add new comment