-2

Something may be wrong with my logic or the hosting server because when I tried it locally it works flawlessly!! however, when I upload it always execute the second statement no matter what the value of applicant_email_activated is??

It is driving me crazy please help!

<?php
 // Santize the provided inputs
$applicant_email = filter_var(stripAndCleanHTML($_GET['applicant_email']), FILTER_SANITIZE_EMAIL); # santize the email
$applicant_token = stripAndCleanHTML($_GET['applicant_token']); # santize the token

/**************** Find the applicant that has the same email *******************/

  $database_connection = Database::database_connect();

  $find_email_query = $database_connection->prepare('SELECT * FROM applicants WHERE applicant_email = :applicant_email && applicant_token = :applicant_token LIMIT 1');

  $find_email_query->execute(['applicant_email' => $applicant_email, 'applicant_token' => $applicant_token]);

  if ($find_email_query->errorCode() > 0) {

    if (DEBUG === true) {

        echo 'There was an issue in searching for the email Big Boss: <br>';
        print_r($find_email_query->errorInfo());
        die();

    } else {

        header('location:../404.shtml', true, 404);
        die();

    }

  }

  $applicants = $find_email_query->fetchAll();

  foreach ($applicants as $applicant) {

    $applicant_username         =   (string) stripAndCleanHTML($applicant['applicant_username']);
    $applicant_password         =   (string) stripAndCleanHTML($applicant['applicant_password']);
    $applicant_name             =   (string) stripAndCleanHTML($applicant['applicant_name']);
    $applicant_phone            =   (string) stripAndCleanHTML($applicant['applicant_phone']);
    $applicant_birthdate        =   (string) stripAndCleanHTML($applicant['applicant_birthdate']);
    $applicant_city             =   (string) stripAndCleanHTML($applicant['applicant_city']);
    $applicant_country          =   (string) stripAndCleanHTML($applicant['applicant_country']);
    $applicant_major            =   (string) stripAndCleanHTML($applicant['applicant_major']);
    $applicant_major_type       =   (string) stripAndCleanHTML($applicant['applicant_major_type']);
    $applicant_exp_years        =   (string) stripAndCleanHTML($applicant['applicant_exp_years']);
    $applicant_cv               =   (string) stripAndCleanHTML($applicant['applicant_cv']);

    $applicant_email_activated  =   (int) stripAndCleanHTML($applicant['applicant_email_activated']);

  }

 if ($applicant_email_activated === 1) {

  include '../../includes/job_app/email_has_been_activated.inc.php';

 } elseif ($applicant_email_activated === 0) {

   include '../../includes/job_app/email_confirmed.php';

 }

 ?>

this is the function I used to clean the value:

function stripAndCleanHTML($to_clean)
{
    return htmlspecialchars(strip_tags(stripslashes(trim($to_clean))));
}

and this is the Database class:

class Database
{

    private const DB_HOST     =   'domain.com';
    private const DB_NAME     =   'ats';
    private const DB_CHARSET  =   'utf8';
    private const DB_USER     =   'public_user';
    private const DB_PASS     =   '1F#kaH$!q5r2as';

    public static function database_connect()
    {

        try {

            // setting DSN (Data Source Name)
            $dsn = 'mysql:host=' . Database::DB_HOST . ';' . 'dbname=' . Database::DB_NAME . ';' . 'charset=' . Database::DB_CHARSET;

            // creating a PDO (PHP Data Object) instance
            $pdo = new PDO($dsn, Database::DB_USER, Database::DB_PASS);
            $pdo->setAttribute(PDO::ATTR_DEFAULT_FETCH_MODE, PDO::FETCH_ASSOC);

            return $pdo;

        } catch (Exception $e) {

            if (DEBUG === true) {

                echo $e->getMessage().'<br>';
                die();

            } else {

                die();

            }
        }

        return $db_info;

    }
}
Hamza Abdullah Mohammed
  • 227
  • 1
  • 2
  • 13
  • 1
    There's no way to answer this without seeing the code for `stripAndCleanHTML()` and knowing the value of `$applicant['applicant_email_activated']` – Patrick Q Apr 23 '18 at 14:18
  • 3
    What does `var_dump($applicant_email_activated)` show? – John Conde Apr 23 '18 at 14:18
  • Have you tried with `==` ?? http://php.net/manual/en/language.operators.comparison.php – Chopi Apr 23 '18 at 14:19
  • 3
    I think the problem is in stripAndCleanHTML and it might be version problem – Sugumar Venkatesan Apr 23 '18 at 14:20
  • Log the value of applicant_email_activated because I suspect it doesn't have the value you think it has. Also, always assume that a value might be something other than you expect and write code to handle it. (in this case as the value is 0 or 1, I'd treat 0 as boolean false and any other value as boolean true) – GordonM Apr 23 '18 at 14:23
  • 1
    @Chopi I'd not advise that, == triggers type juggling which can have all kinds of unexpected behaviours. I'd always recommend === (with an explicit cast if necessary) over == except where == is the only sensible alternative – GordonM Apr 23 '18 at 14:24
  • @GordonM thanks for the suggestion! Really it should be interesting to know what has inside $applicant['applicant_email_activated'] – Chopi Apr 23 '18 at 14:32
  • the value when I used var_dump() is 1 but it still keeps executing the second block!! and I even tried two equal signs == !! ?? – Hamza Abdullah Mohammed Apr 23 '18 at 14:36
  • for more clarification, I use mysql and I set the type of the column to be a tinyint with the length of 1, moreover, when I try to make sure the value in the database I find it to be 1!! even in the database!! – Hamza Abdullah Mohammed Apr 23 '18 at 14:40
  • What do you get if you replace those `include` lines with `echo "activated";exit;` and `echo "not activated";exit;` respectively? – Patrick Q Apr 23 '18 at 14:43
  • Dear @PatrickQ I did and sadly nothing new!! – Hamza Abdullah Mohammed Apr 23 '18 at 14:53
  • God damn it, I am losing my mind!! – Hamza Abdullah Mohammed Apr 23 '18 at 14:54
  • What does "nothing new" mean? What, specifically, is the result? – Patrick Q Apr 23 '18 at 14:54
  • it executes again the second statement! which to echo *"not activated";exit;* – Hamza Abdullah Mohammed Apr 23 '18 at 15:00
  • stripslashes is long since dead! Don't use it! I don't know if that's your problem but it definitely won't help. In fact if you're using this for protecting your DB then you need to stop right now, and use proper escaping at the very least and preferentially prepared statements. (I've read that you are indeed using prepared statements, which makes adding/stripping slashes redundant anyway) – GordonM Apr 23 '18 at 15:48
  • Dear @GordonM I have tried the same code without stripslashes but without any luck! please advise! – Hamza Abdullah Mohammed Apr 23 '18 at 16:12

1 Answers1

0

It did work after I removed the (int) and put the compersion numbers into single quotes!! crazy right!!?

I guess the server on the hosting company handles PHP in a peculiar manner!! or maybe I have pumped up the app with a lot of stripping non-sense as some of you would agree, nonetheless, I have done it and I could go home and sleep knowing my baby app is safe and sound!

A huge thank you for the tips and mentoring, have a good day! and do not forget to be awesome.

Hamza Abdullah Mohammed
  • 227
  • 1
  • 2
  • 13