为什么我会收到 HTTP 500 错误？

Question

I've just finished off this form and I'm trying to get it to work but the server throws a 500 error at me. I don't have access to the server logs and I've looked on here.

I've checked for smart quotes and replaced the ones I could find. I've uploaded it again and I can't work out why it's still throwing this at me.

<?php
    $host = "localhost";
    $user = "username";
    $password = "password";
    $dbname = "database";
    $conn = mysqli_connect($host, $user, $password, $dbname);

    if(!$conn){
        die("Connection failed: " . mysqli_connect_error());
    } ?>

<?php

    $studentID = intval($_POST['studentID']);
    $fname = $_POST['fname'];
    $fname = mysql_real_escape_string($fname);
    $lname = $_POST['lname'];
    $lname = mysql_real_escape_string($lname);

    if($studentID != "")
    {
        if(($fname != "") && ($lname != "")) {
            $sql = "SELECT * FROM Student WHERE StudentID = $studentID AND FirstName = $fname AND LastName = $lname";
        }
        else if ($fname != "") {
            $sql = "SELECT * FROM Student WHERE StudentID = $studentID AND FirstName = $fname";
        }
        else if ($lname != "") {
            $sql = "SELECT * FROM Student WHERE StudentID = $studentID AND LastName = $lname";
        }
        else {
            $sql = "SELECT * FROM Student WHERE StudentID = $studentID";
        }
    }
    else if($fname != "")
    {
        if($lname != ""){
            $sql = "SELECT * FROM Student WHERE FirstName = $fname AND LastName = $lname";
        }
        else {
            $sql = "SELECT * FROM Student WHERE FirstName = $fname";
        }
    }
    else if($lname != "")
    {
        $sql = "SELECT * FROM Student WHERE LastName = $lname";
    }
    else {
        echo "<p>There is no query to submit</p>";
    }

    $result = mysqli_query($conn, $sql);

    if(mysqli_num_rows($result) > 0){
        echo "<table><tr><th>Student ID</th><th>First Name</th><th>Last Name</th><th>Unit 1</th><th>Unit 2</th><th>Unit 3</th><th>Unit 4</th></tr>";

        while($row = mysqli_fetch_assoc($result)){
            echo "<tr><td>" .$row["StudentID"]. "</td><td>" .$row["FirstName"]. "</td><td>" .$row["LastName"]. "</td><td>" .$row["Unit1"]. "</td><td>" .$row["Unit2"]. "</td><td>" .$row["Unit3"]. "</td><td>" .$row["Unit4"]. "</td></tr>";
        }

        echo "</table>"
    }
    else {
        echo "There are no results for your query.";
    }

    mysqli_close($conn);
 ?>

I've checked my console and everything to see if anything will show up there but I'm drawing a blank. Any help would be appreciated.

Answer 1

First of all you need to add php error_reporting() this will help you to find errors and warnings, but only for development environment not for production.

Second , very important, you need to use quotes around string values in your SQL Statements like:

$sql = "SELECT * FROM Student WHERE StudentID = $studentID AND FirstName = '$fname' AND LastName = '$lname'"; // same for other queries

Third , why are you mixing mysqli_* and mysql_* together? you need to use mysqli_real_escape_string() function here and you are using mysql_real_escape_string() .

Fourth , Your code is still open for SQL Injection, you must need to prevent with SQL Attack, you can use prepared statements for this.

Five: i hope this is the typo error here echo "</table>" missing semicolon here.

---

Side Note:

Very Special point : note that mysql_* is deprecated and closed in PHP 7.

Answer 2

You are mixing mysqli_ with the deprecated/removed mysql_ extension. You should use mysqli_real_escape_string , or even better using bind variables. And as others have told if not using bind variables you have to be careful with quoting strings when creating a query