PHP SQL string assignment throws a server error

Question

I am trying to have PHP connect to a MySQL database on an Apache server for the first time. Below is the simple PHP code that I'm using.

 <?php
// To ensure that the $_POST superglobal is accessible.
print_r($_POST);
print_r($_POST['usertype']);

$db = mysqli_connect("localhost", "root", "", "rental_26349188");
if (mysqli_connect_errno()) {
  mysqli_connect_error();
  exit;
}

$sql = "INSERT INTO user_information (usertype, firstname, lastname, phonenumber, email, loginname, password) VALUES (".$_POST['usertype'].", ".$_POST['firstname'].", ".$_POST['lastname'].", ".$_POST['phonenumber'].", ".$_POST['email'].", ".$_POST['loginname'].", ".$_POST['password'].");"

mysqli_query($db, $sql);

mysqli_close($db); 
?>

The database table was previously created with the following SQL command:

CREATE TABLE IF NOT EXISTS `user_information` (   `id` int(255) NOT NULL,   `usertype` varchar(255) NOT NULL,   `firstname` varchar(255) NOT NULL,   `lastname` varchar(255) NOT NULL,   `phonenumber` varchar(255) NOT NULL,   `email` varchar(255) NOT NULL,   `loginname` varchar(255) NOT NULL,   `password` varchar(255) NOT NULL ) ENGINE=InnoDB DEFAULT CHARSET=utf8;

ALTER TABLE `user_information`   ADD PRIMARY KEY (`id`);

ALTER TABLE `user_information`   MODIFY `id` int(255) NOT NULL AUTO_INCREMENT;

I receive the following error when loading the page.

Strangely enough, I found that commenting out the $sql and mysqli_query lines in the PHP code makes it so that the error isn't thrown. I've also tried writing the mysqli commands in an object-oriented fashion, as well as inserting the $_POST['key'] contents into the string with curly-bracket substitution (ie. {$_POST['key']} ), all of which produced the same result. It is also clear that PHP is able to access the database, as it can connect with it and close it.

Why would a SQL string assignment to a PHP variable result in an internal server 500 error? How can I correct my code so that no error is produced?

Answer 1

The response 500 Internal Error usually means a compilation problem, fe a syntax error in the script.

Regarding your script, the line

$sql = "INSERT INTO user_information ... .$_POST['password'].");"

does not end with a semicolon ( ; ) as it should (or you put it inside the string). Add it at the end of the line and the status code 500 will disappear.

Answer 2

I saw nowhere you've used "'" for values - are you sure no one of values have spaces. Also to use direct user input into the SQL query in this way isn't good idea, because it lets sql injections. The MySQL has bindParam mechanism, which makes it safe - I strongly recommend to look in documentation for it. I know my notes are far away of the current problem, but because you told it is first your touch with MySQl, I let my self to do it. Regards

Answer 3

Try:

$db = mysqli_connect("localhost", "root", "", "rental_26349188");
if (mysqli_connect_errno()) {
  echo "Failed to connect to MySQL: " . mysqli_connect_error();
  exit;
}