What is wrong with this script?

drapm · November 30, 2023, 11:57am

Hello,
Following script is running fine with php7.4 but when I switch tp php8.2 it gives error “Image validation failed”.
Any idea what is wrong and where?

<?php
require "config.php";
$ver = "";
session_start(['img']);
$data_error = 1;
foreach ($_POST as $key => $val){
    if($key=="email" && $val!=""){
        $from=$val;
    }
    if($key=="redirect" && $val!=""){
        $send_page=$val;
    }
    if($key=="subject" && $val!=""){
        $subject=$val;
    }
    if ($key == "key") {
        $sec_key = $val;
    }
    if($val!="Submit" && $key!="key" && $key!="B1" && $key!="PHPSESSID" && $key!="redirect" && $key!="required" && $key!="recipient" && $key!="subject"){
        for ($i=0; $i < count($form_names); $i++) {
            if ($form_names[$i] == $key && $val == ""){
                $msg = "Sorry, $key $field_error";
                error_alert($msg);
            }
        }
        if($val!="" && $data_error=="1" && $key != "email" && $key != "key"){
            $data_error = 0;
        }
            $msg = '';
            $msg = "$msg $key : $val \n\n";
    }
}
if ($img_validate == "1") 
{
    $sec_code = $_SESSION['sec_code'];
    if (md5((int)$sec_key) != (int)$sec_code){
        error_alert($image_error);
    }
}
if(!preg_match ("/^([a-z0-9_]||\\.)+@(([a-z0-9_]|)+\\.)+[a-z]{2,4}$/", $from)){
    $msg = "Sorry, $from $email_error";
    error_alert($msg);
}
$id = "\n". $_SERVER['HTTP_USER_AGENT'] ."\n Client IP = ". $_SERVER['REMOTE_ADDR']."\n https://www.5starastrology.com/ $ver on ";
$admin = $_SERVER['SERVER_ADMIN'];
$submit_date = date('F j, Y, g:i a T');
$table_start = "";
$table_end = "";
if($data_error=="0"){
    $_SESSION['sec_code'] = "NO";
    $error="0";
    $header = "From: <$from>\n";
    $header .= "Return-path: <$from>\n";
    $header .= "X-Sender-IP: " .$_SERVER['REMOTE_ADDR']."\n";
    $header .= "X-Mailer: $ver \n";
    $header .= "X-MailerWebSite: https://www.5starastrology.com/\n";
    $body = "$table_start $msg $table_end $id $submit_date";
    send_mail($mail_to, $subject, $body, $sec_local, $header);
    if ($send_reply == "1") {
        $fd=fopen("reply_email.txt","r");
        while ($line=fgets($fd,1000))
        {
            $reply_email_body.=$line;
        }
        fclose ($fd);
        if ($reply_email_form_name == ""){
            $reply_email_form_name = $_SERVER['HTTP_HOST'];
        }
        $header = "From: $reply_email_form_name <$reply_email_from>\n";
        $header .= "Return-path: <$reply_email_from>\n";
        $header .= "X-Reply-To : <$reply_email_from>\n";
        $header .= "X-Sender-IP: " .$_SERVER['REMOTE_ADDR']."\n";
        $header .= "X-Mailer: $ver \n";
        $header .= "X-MailerWebSite: https://www.5starastrology.com/\n";
        $header .= "Content-Type: text/html; \n charset=iso-8859-1 \n";
        $reply_email_body .= "<a href='https://www.5starastrology.com/'>$ver </a>";
        send_mail($from, $reply_email_subject, $reply_email_body, $sec_local, $header);
    }
}
else {
    error_alert($blank_error);
    $error="1";
}
if ($error_repote=="0") {
    if($error=="0"){
        header ("Location: $send_page");
    }
    else {
        header ("Location: $error_page");
    }
}
else {
    if($error=="0"){
        disply_error_msg($ok_msg);
    }
    else {
        disply_error_msg($error_msg);
    }
}
function error_alert($msg){
    $_SESSION['sec_code'] = "NO";
    print "<SCRIPT>";
    print "alert ('$msg');";
    print "history.go(-1);";
    print "</SCRIPT>";
    die("$msg");
}
function disply_error_msg($msg) {
    echo "$msg";
    echo "<a href=javascript:history.go(-1)>Click here to Go Back.</a>";
    die();
}
function send_mail($mail_to, $subject, $msg, $sec_local, $header){
    if ($sec_local == md5((int)$_SERVER['SERVER_SIGNATURE'] + (int)$_SERVER['HTTP_USER_AGENT'])){
        mail($mail_to, $subject, $msg, $header);
        $_SESSION['sec_code'] = "NO";
    }
    else
    {
        die("Bad Submit");
    }
}

header("location: https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=".$_POST['item']);

Thanks for all the inputs in advance.
Best regards to all of you to help me.
Arun

mabismad · November 30, 2023, 1:03pm

You are going to need to help us out, since you have not posted everything needed to reproduce the problem.

The error is likely coming from the if ($img_validate == “1”) … logic, which is apparently a captcha test? Is this being used? Is $img_validate a 1? Has it always been a 1?

Next, the if ($img_validate == “1”) … logic is nonsense. It is loosely comparing the md5() of a value with the (int) of the value in a session variable. These will only be equal if any leading numerical characters are the same, which means that there are a lot of different values that will match. The code should be testing for an exact match between the values. The casting and comparison of strings starting with numerical characters has changed in php, so this could be the cause of the problem.

This logic also needs to test if there is a value in the session variable before using it. If there is not, it indicates that the form page wasn’t visited to generate the value in the session variable.

The only other apparent problem with the code is that the array being provided to session_start() is invalid (all php versions), since it doesn’t have an associative index at all, and one not matching the permitted settings.

drapm · November 30, 2023, 2:37pm

Hello,
Thanks for your kind input. Indeed, I am so naive and new that I do not know what to post and not to post.

Anyway the name of above mentioned file is webmail.php and it called by a form on ap.php whose location URL is https://www.5starastrology.com/ap.php - server is enabled for php 8.2
Here is form of ap.php:

<form method="POST" action="webmail.php">
<input type="hidden" name="item" value="FFEUEJYZDV8KQ"> 
<input type="hidden" name="detail" value="Astrological Annual Prediction"> 
<INPUT TYPE="HIDDEN" NAME="subject" VALUE="Astrological Annual Prediction">
              <H2 align="center"><font face="Arial, Helvetica, sans-serif" size="2"><i>Submitting 
                your order means that you agree to these terms and conditions.</i></font></h2>
              <p><FONT size="2" face="Verdana, Arial, Helvetica, sans-serif"> 
                <input type="radio" checked name="module" value=" I want to order the Astrological Annual Prediction only: $30">
                I want to order the Astrological Annual Prediction only.<br>
                <input type="radio" checked name="responcibility" value=" I will be solely responsible for false information I submit to 5StarAstrology.Com&reg;&trade;. All information provided below is correct and accurate.">
                I will be solely responsible for false information I submit to 5StarAstrology.Com&reg;&trade;. All information provided below is correct and accurate.<br>
                <input type="radio" checked name="assure" value=" I have gone through the demo reports and found them to be satisfactory.">
                I have gone through the demo reports and found them to be satisfactory.<br>
                </font>
              <table border="0">
                <tr> 
                  <td align="right"><em>Full Name</em></td>
                  <td> 
                    <input type="text" size="35"
                name="name">
                  </td>
                </tr>
                <tr> 
                  <td align="right"><em>Valid active email address, please</em></td>
                  <td> 
                    <input type="text" size="35"
                name="email">
                  </td>
                </tr>
                <tr> 
                  <td align="right"><em>Place of birth</em></td>
                </tr>
                <tr> 
                  <td align="right"><em>(Village, Town, City, State, Province & 
                    Country)</em></td>
                  <td> 
                    <input type="text" size="35"
                name="place">
                  </td>
                </tr>
                <tr> 
                  <td align="right"><em>Time of birth</em></td>
                  <td> 
                    <input type="text" size="7"
                name="time">
                  </td>
                </tr>
                <tr> 
                  <td align="right"><em>Date of birth</em></td>
                </tr>
                <tr>
                  <td align="right"><em>(dd MMMM yyyy)</em></td>
                  <td> 
                    <input type="text" size="2" name="day">
                <select name="month" size="1">
                      <option selected>January </option>
                      <option>February </option>
                      <option>March </option>
                      <option>April </option>
                      <option>May </option>
                      <option>June </option>
                      <option>July </option>
                      <option>August </option>
                      <option>September </option>
                      <option>October </option>
                      <option>November </option>
                      <option>December </option>
                    </select>
                <input type="text" size="4"
                name="year">
                  </td>
                </tr>
                 <tr>
                  <td align="right"><em>Gender/Sex:</em></td>
                  <td> 
                    <select name="yoursex" size="1">
                      <option selected>Female </option>
                      <option>Male </option>
                      <option>Other </option>
                    </select>
                  </td>
                </tr>
                <tr> 
                  <td align="right"><em>Language of Readings/Results:</em></td>
                  <td> 
                    <select name="language" size="1">
                      <option>Bangla </option>
                      <option selected>English </option>
                      <option>French </option>
                      <option>German </option>
                      <option>Gujarati </option>
                      <option>Hindi </option>
                      <option>Italian </option>
                      <option>Portuguese </option>
                      <option>Spanish </option>
                      <option>Tamil </option>
                    </select>
                  </td>
                </tr>
                <tr> 
                  <td align="right"><em>Prediction for which year?</em></td>
                  <td> 
                    <input type="text" size="8"
                name="fromyears">
                  </td>
                </tr>
                         <tr>
					<td align="right"><em>Validate &nbsp;</em></td>
				<td><img src="img/img.jpg" width="55" height="30">
				&nbsp;&nbsp;&nbsp;&nbsp;
				<input type="text" name="key" size="7"> </td>
		  </tr>
<tr><td><font size=-1 color="red">(Your I.P. Address will be recorded for security - Legal Team)</font></color></size></font></td></tr>
              </table>
              <p></p>
              <p class=style3 align=right> 
                <input type="image" src="img/submit.gif" BORDER="0">
            </form>

webmail.php has include cconfig.php
Here is config.php

<?php
$subject = "Support";
$mail_to = "quick-help@5starastrology.com";
$from = "quick-help@5starastrology.com";
$error_repote = 0;
$error_page = "https://www.5starastrology.com/error.htm";
$send_page = "https://www.5starastrology.com/thankyou.htm";
$error_msg = "Sorry, Error Sending Form!";
$ok_msg = "Thank you, Form is Sent!";
$blank_error = "Sorry, cannot send form. It is blank !";
$image_error = "Sorry, Image Validation Failed !";
$email_error = "is not a valid e-mail address !";
$field_error = "field is blank, this is a mandatory field !";
$form_names = array("gname", "gtime", "bname", "btime", "gdate", "bdate", "language", "name", "email", "street", "state", "zip", "country", "key", "subject", "message", "yoursex", "time", "date", "place", "Problem", "question_answer", "fromyears", "problem_solution");
$img_validate = 1;
$send_reply = 1;
$reply_email_subject = "Thank your [Please do not reply]";
$reply_email_from = "auto@5starastrology.com";
$reply_email_form_name = "Admin Team";
$sec_local = md5((int)$_SERVER['SERVER_SIGNATURE'] + (int)$_SERVER['HTTP_USER_AGENT']);

Hope this will help you to figure out the troubled spot(s).
I am so thankful to you for your reply.
Best regards.
Arun

system · February 29, 2024, 9:37pm

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.