Error "Notice: String offset cast occurred in" from HTML5 script

hello. i have downloaded an html5 canvas script from https://github.com/zetakey/signsend and have had the script working. But for some reason line 68 from the https://github.com/zetakey/signsend/blob/master/upload_file.php file is now giving me an error

emailaddress@outlook.com
Notice : Undefined variable: i in /home/oststudentco/public_html/2019/upload_file.php on line 72

Notice : String offset cast occurred in /home/oststudentco/public_html/2019/upload_file.php on line 72

Message delivery failed…

so the script is as above :

$message .= “Content-Type: application/octet-stream; name=”" . basename($files) . “”\n" . “Content-Description: " . basename($files[$i]) . “\n” . “Content-Disposition: attachment;\n” . " filename=”" . basename($files) . “”; size=" . filesize($files) . “;\n” . “Content-Transfer-Encoding: base64\n\n” . $data . “\n\n”;

could this be to do with the PHP version that is being used? if so how can i correct this rather than changing the PHP version

thanks

$files[$i]

Where is the $i (counter) coming from?

I see nothing you posted that declares $i… (or $files for that matter)

What is at line: 72?

line 72 is

$message .= “Content-Type: application/octet-stream; name=”" . basename($files) . “”\n" . “Content-Description: " . basename($files[$i]) . “\n” . “Content-Disposition: attachment;\n” . " filename=”" . basename($files) . “”; size=" . filesize($files) . “;\n” . “Content-Transfer-Encoding: base64\n\n” . $data . “\n\n”;

by the looks of it the $i is coming from

if (is_file($files)) {
$message .= “–{$mime_boundary}\n”;
$fp = @fopen($files, “rb”);
$data = @fread($fp, filesize($files));
@fclose($fp);
$data = chunk_split(base64_encode($data));

which is above line 72

you can actually see a working version here https://embed.plnkr.co/XHvIkH/

??

Where in that second snippet of code is the variable $i being declared? Am I missing it? Show me.

it also doesnt make sense that in line ‘72’

it references:

basename($files[$i])

in one spot (alluding to it being an array)

and in other areas it is used as:

basename($files) (alluding to it being a value of some kind)?

That line 72 is something from the github project? or something you edited/added/altered?

Sooo… what is $files? A value? an array?

The undefined … php error is because of a mistake in the code. The basename($files[$i]) in the original line 68 should just be basename($files) This may or may not fix why the email is not being sent.

($files[$i]) is in the original code. this is taken from original script

    $message .= "Content-Type: application/octet-stream; name=\"" . basename($files) . "\"\n" . "Content-Description: " . basename($files[$i]) . "\n" . "Content-Disposition: attachment;\n" . " filename=\"" . basename($files) . "\"; size=" . filesize($files) . ";\n" . "Content-Transfer-Encoding: base64\n\n" . $data . "\n\n";
    $i = TRUE;

after Content-Description:

Did you try to remove it?

and just use $files?

Yes I tried removing but no difference

Has this -ever- worked?

The lines/code you are providing just do NOT make sense.

trying to access a variable as an array? - not good
trying to use a boolean value as an index/counter for an array - not good
declaring the value of $i after its being used in a line - not good

I just DL’d the whole project… and ‘as-is’… it works… however you do get those NOTICES.

But in the end, the email is sent… and the attached signature if there.

Turn off notice reporting…


UPDATE:

AND… doing EXACTLY WHAT WE TOLD YOU DO… WORKS!

Why not follow the direction given here?

$message .= "Content-Type: application/octet-stream; name=\"" . basename($files) . "\"\n" . "Content-Description: " . basename($files) . "\n" . "Content-Disposition: attachment;\n" . " filename=\"" . basename($files) . "\"; size=" . filesize($files) . ";\n" . "Content-Transfer-Encoding: base64\n\n" . $data . "\n\n";
        $i = TRUE;

the $i = TRUE; line is garbage too…
And it should be using $i since that is being used as a counter as well (roll eyes)

$w = TRUE;

then further down:

return $w;

but really all you had to do was listen to the initial advice and remove the [$i] from the line(s) you posted…

*** What I can find out… is WHY (how/where?) after sending this little text content and CLICK ME button is coming from for a brief second???

hmmmmm

UPDATE: nevermind about the little snippet that gets displayed… I see now there is a .js file where this stems from. (DOH)

The functionality of this server-side code is to attach a submitted file to an email and send it, any file. A base64 encoded .exe file containing a virus could be submitted to this code and due to the lack of validation and error handling logic, would get attached to an email and sent. The code that’s watermarking the image could have helped, but it’s filled with @ error suppressors and has no error handling logic in it. The correct response to an error when trying to process the file as an image would be to delete the file and stop processing the submission. This code also leaves the submitted files in a folder on the server (there’s no actual need to save the file to accomplish what this script is doing), which if they were ever treated as something other than an image, could allow code execution (an example that comes to mind is if they contain php code and someone gets code on a site to dynamically include/require one.)

Short-answer: external data can be anything, come from anywhere, and cannot be trusted. You MUST validate all external data before using it and use it safely in whatever context it is being used in.

1 Like

This was working fine as it was then just stopped. I will try removing then try again

The code is setting the From: email address to be one that doesn’t exist at your web hosting. Either your sending mail server or the receiving mail server probably flagged the emails as spam and stopped accepting them. The From: email address you use in an email must correspond to the sending mail server.

1 Like

Ok I understand. The server is not trusting the email address and there is lack of validation of the credibility of the attachment means it is being blacklisted by the server.

Sponsor our Newsletter | Privacy Policy | Terms of Service