Why doesn't this PHP code work?

Question

<?php
require_once($_SERVER['DOCUMENT_ROOT'].'/api_config.php');

error_reporting(E_ALL);
ini_set("display_errors", 1);
$loc = $_POST['u'];

//initialize the connection to the database
$config = $config['production'];
$con = mysql_connect($config['db']['host'], $config['db']['username'], $config['db']['password']) or die ("Unable to connect");
mysql_select_db ($config['db']['dbname'], $con) or die ("Unable to select database");
$query = "SELECT `location` FROM `active_users` WHERE name = '$loc'";
$result = mysql_query($query, $con) or die ("Unable to run query");

if (mysql_num_rows($result) > 0) { 
// yes, the user esists
    header("HTTP/1.0 200 Success"); 
    header('Content-Type: text/plain');
} else 
// no, user doesn't exist 
    header("HTTP/1.0 404 Not Found");
    header('Content-Type: text/plain');
} 
mysql_close($con);

?>

I get a HTTP Error 500 (Internal Server Error): error in my browser. Why?

Answer 1

你忘了打开else { 。

Answer 2

You're also not sanitizing your inputs -- you're executing raw SQL that is presumably entered by a user. Turn this:

$query = "SELECT `location` FROM `active_users` WHERE name = '$loc'";

into

$query = "SELECT `location` FROM `active_users` WHERE name = '".mysql_real_escape_string($loc)."'";