There are a number of problems in your code. First, your $secretKey
value is computed as a padded SHA1 hash when the implementation requires the first sixteen bytes of the SHA1 hash.
$secretKey = substr(hash('sha1', $secretKey, true), 0, 16);
Second, you are trying to perform a base64 decode of the secret key, which is not valid here. The second argument to mcrypt_encrypt()
should be $sKey
, not base64_decode($sKey)
.
Finally, as explained in x77686d's answer, you should be using an "URL-safe" base64. That is a variation of base64 that is unpadded and does not use the +
or /
characters. Instead, the -
and _
characters are used in their places.
ReCaptcha's secure tokens are a bit of a pain, honestly. They are insecure and the algorithm is undocumented. I've been in the same position as you and needed an implementation, so I wrote one and published it on Packagist as "slushie/recaptcha-secure-token". I'd recommend using it and/or contributing, if only because of the lack of alternative implementations of this algorithm.
与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…