Mev-Rael That's not too far fetched -- given going through their codebase it's clearly written for PHP 4 and then had @ signs thrown at it for error suppression as someone's idea of making it PHP 5 compatible.
Though MOST of the offending code is related to it talking to their contact management software, something I already have a fix for from two other clients... some joker out there is writing these weird contact forms to e-mail the data as XML to the contact software, but is using a soft-coded reversible cipher to send the e-mail and SQL LOGIN DATA CLIENT SIDE!!! No wonder their spamassassin log is a fistful of ugly. I'm SHOCKED no crackers pwned the sites that use this code. In all probability they have, just there's nothing THAT critical in the data. REALLY good targets to hijack for spamming though.
The code for that cipher being pretty stupid too since it reads like it was tossed together by some VB programmer who doesn't know what shifts are or that PHP has more string operations than strpos and substr. First time I came across it (nearly a decade ago now) I wasted a day turning around 150 lines of bloat into a compact six lines, just in time to figure out what it was sending and go "why the HELL is this being sent client-side?!?"
Needless to say, recommending a full code audit, possibly a complete recode from scratch. There's no way in hell it's going to run on PHP 7 anyways since it's still derping along with mysql_ functions so sooner or later it's going to HAVE to be done.
The kicker being they HAVE an IT staff, and those jokers didn't understand what was wrong with mysql_, what was wrong with supressing errors with @, or what's wrong with sending things like the e-mail address and sql login client side... that last one being pure stupidity, but their current full-timers going "but it's encrypted"... RIGHT. By a fixed reversible incrementing shift cipher with no salt. HERPA-FREAKING-DERP!!! Literally they might as well have been sending it BASE64.
Monday morning is gonna be a fun video conference.
Jason Knight
The less code you use, the less there is to break
Could be worse, I came across a client's site that nobody who worked on it still worked for them (or could even be reached?) where whenever it had a server error, instead of saying "500 error" or "404 error" or any of that, it loaded a page that played a clip from the music video for Zainichi Funks "Scary Bomb". (also known online as "what if James Brown was a Japanese midget") Their staff couldn't even figure out what was triggering it... I go to /var/log to start poking around and see a slew of 500 errors in the logs. Finally track down that ANY response other than 200 was set in the httpd.conf of all places was set to redirect to that video with a rewrite rule.
There's being funny, and then there's being intentionally obtuse in a way that screws over whatever poor sod is working on the site next. Dimes to dollars the joker who did it thought they were adding security to the process.
Of course, would have been a LOT easier if said client didn't treat their in-house developers like toilet paper; wipe and flush. ANOTHER reason I prefer to freelance.