Ajax/PHP Contact Form Verification Code fails

Question

Hey everyone, I posted a topic earlier that helped my previous problem by using $_SESSION instead of $_COOKIE But when I enter the correct verification number it's still saying that I entered the wrong one. I went to a website and generated a random MD5 hash with random text, is this what I'm supposed to do?

I have no clue what's wrong but here is what I have:

HTML Form:

<form id="ajax-contact-form" action="javascript:alert('success!');">
<label>Name:*</label><INPUT class="textbox" type="text" name="name" value=""><br />

<label>E-Mail:*</label><INPUT class="textbox" type="text" name="email" value=""><br />

<label>Telephone:</label><INPUT class="textbox" type="text" name=telephone" value="" /><br />

<INPUT class="textbox" type="hidden" name="subject" value="Contact Form" >

<label>Message:*</label><TEXTAREA class="textbox" NAME="message" ROWS="5" COLS="25"></TEXTAREA><br />
<tr>
<label>Image  Verification:*</label>
        <input type="text"  name="verify" style="width:200px;" /><img src="verification.php?<?php echo rand(0,9999);?>" width="50"  height="24" align="absbottom" />


<label>&nbsp;</label><INPUT class="button" type="submit" name="submit" value="Send Message">
</form>

The contactform.php:

<?php
/*
Credits: Bit Repository
URL: http://www.bitrepository.com/
*/

include 'config.php';

   error_reporting (E_ALL ^ E_NOTICE);

   $post = (!empty($_POST)) ? true : false;

  if($post)
{
include 'functions.php';

$name = stripslashes($_POST['name']);
$email = trim($_POST['email']);
$telephone = stripslashes($_POST['telephone']);
$subject = stripslashes($_POST['subject']);
$message = stripslashes($_POST['message']);
$verify = stripslashes($_POST['verify']);


$error = '';

// Check name

if(!$name)
{
$error .= 'Please enter your name.<br />';
}

// Check email

if(!$email)
{
$error .= 'Please enter an e-mail address.<br />';
}

if($email && !ValidateEmail($email))
{
$error .= 'Please enter a valid e-mail address.<br />';
}

// Check message (length)

if(!$message || strlen($message) < 15)
{
$error .= "Please enter your message. It should have at least 15 characters.<br />";
}

// Check Verification code
if(md5($verify).'098f6bcd4621d373cade4e832627b4f6' !=  $_SESSION['contact_verify'])
{
$error .= 'Image Verification failed.<br />';
}





//Send the Name, Email, Telephone, and Message in a formateed version.
 $email_message = "The following message was sent to you in your contact form on   domain.com\n\n";

function clean_string($string) {
  $bad = array("content-type","bcc:","to:","cc:","href");
  return str_replace($bad,"",$string);
}
$email_message .= "Name: ".clean_string($name)."\n";
$email_message .= "Email: ".clean_string($email)."\n";
$email_message .= "Telephone: ".clean_string($telephone)."\n";
$email_message .= "Message: ".clean_string($message)."\n";

if(!$error)
{
$mail = mail(WEBMASTER_EMAIL, $subject, $email_message,
 "From: ".$name." <".$email.">\r\n"
."Reply-To: ".$email."\r\n"
."X-Mailer: PHP/" . phpversion());


if($mail)
{
echo 'OK';
}

}
else
{
echo '<div class="notification_error">'.$error.'</div>';
}

}
?>

Any my verification.php file:

<?php
//Declare in the header what kind of file this is
header('Content-type: image/jpeg');

//A nice small image that's to the point 
$width = 50;
$height = 24;

//Here we create the image with the sizes declared above and save it to a  variable my_image
$my_image = imagecreatetruecolor($width, $height);

//Let's give our image a background color.  White sound ok to everyone?
imagefill($my_image, 0, 0, 0xFFFFFF);

//Now we're going to add some noise to the image by placing pixels  randomly all over the image
for ($c = 0; $c < 40; $c++){
$x = rand(0,$width-1);
$y = rand(0,$height-1);
imagesetpixel($my_image, $x, $y, 0x000000);
}

$x = rand(1,10);
$y = rand(1,10);

$rand_string = rand(1000,9999);
imagestring($my_image, 5, $x, $y, $rand_string, 0x000000);

/*
We're going to store a ****** in the user's browser so we can call to it
later and confirm they entered the correct verification. The
"decipher_k2s58s4" can be anything you want.  It's just our personal
code to be added to the end of the captcha value stored in the ******
as an encrypted string
*/
$_SESSION['contact_verify'] = (md5($rand_string).'098f6bcd4621d373cade4e832627b4f6');

imagejpeg($my_image);
imagedestroy($my_image);
?>

Answer 1

Your verification.php i believe has no session_start();

Add session_start(); as first line on that page see if that works with your original code before you edited it.

The only time you don't need to do this is when the PHP file is added with require_once or include . This is because the script would inherit it from the file that called it. You how ever call it from HTML which means it doesn't.

Every file needs to have session_start(); or they cannot use $_SESSION vars.

Side note: You should also add error reporting on your verification.php script too so you could see the issue ;)

Answer 2

This appears to be incorrect:

if(md5($verify).'098f6bcd4621d373cade4e832627b4f6' ...

I doubt you want to append the md5 of $verify and this other hash. Try:

if(md5($verify) !=  $_SESSION['contact_verify']) {
     $error .= 'Image Verification failed.<br />';
}