500 error on PHP page

Question

Possible Duplicate:
Why do I keep getting a 500 error with my PHP?

I am creating a page that allows a user to login to the website. I keep getting a 500 error. Here's the code that gives me an error:

<?php

if(isset($_POST['submit']))
{
    $username = $_POST['username'];
    $password = $_POST['password'];

    include( 'connection.php' );

    if(empty($username) || empty($password))
    {
        $error = 'Please enter your username and password'
    }
    else
    {
        $password = md5($password);
        $sql = mysql_query("SELECT * FROM users WHERE username = $username AND password = $password LIMIT 1") or die(mysql_error)();
        $num_rows = mysql_num_rows($sql);

        if($num_rows == 1)
        {
            $fetch = mysql_fetch_array($sql);
            extract ($fetch);
            echo $username;
        }
        else
        {
            echo 'There was an error while logging in'
        }
    }
?>

**Your code is vulnerable to SQL injection.** You *really* should be using [prepared statements](http://stackoverflow.com/a/60496/623041), into which you pass your variables as parameters that do not get evaluated for SQL. If you don't know what I'm talking about, or how to fix it, read the story of [Bobby Tables](http://stackoverflow.com/questions/332365/xkcd-sql-injection-please-explain). — eggyal, Jul 07 '12 at 23:57
Also, as stated in the PHP manual for the [`mysql_query()`](http://php.net/manual/en/function.mysql-query.php) function: *Use of this extension is discouraged. Instead, the [MySQLi](http://www.php.net/manual/en/book.mysqli.php) or [PDO_MySQL](http://www.php.net/manual/en/ref.pdo-mysql.php) extension should be used. See also [MySQL: choosing an API](http://www.php.net/manual/en/mysqlinfo.api.choosing.php) guide and [related FAQ](http://www.php.net/manual/en/faq.databases.php#faq.databases.mysql.deprecated) for more information.* — eggyal, Jul 07 '12 at 23:57
i see a couple of potential errors in the code already: 1. there is no "ifset" function in php, so it should be "isset". 2. in the sql query, the variables $username and $password should be enclosed in quotes since they are string values. e.g. mysql_query("SELECT * FROM users WHERE username = '$username' AND password = '$password' LIMIT 1"). So I think you should eliminate those basic errors and then try to figure out if there is something additional thats causing this 500 error. — Software Guy, Jul 08 '12 at 00:00
@tereško I am not spamming, I am a beginner. Please learn the differences before you accuse me of spamming. — Colby Aley, Jul 08 '12 at 00:05
@Radu: Perhaps you should address that to the OP :) I don't need to know that.. — Software Guy, Jul 08 '12 at 00:09

score 2 · Answer 1 · answered Jul 08 '12 at 00:08

During development you can set in you php.ini:

error_reporting = E_ALL | E_STRICT
display_errors = On
display_startup_errors = On

then in most cases you will see error description instead of blank page.

If you still getting blank page then:

log_errors = On
error_log = php_errors.log

and there is a chance that php_errors.log will have some description.

IHMO the best idea is using xdebug.

score 1 · Answer 2 · answered Jul 07 '12 at 23:57

1

ifset() isn't a function. You're looking for isset().

answered Jul 07 '12 at 23:57

breen

111
4

Fixed, but it still doesn't seem to work. – Colby Aley Jul 07 '12 at 23:58
`or die(mysql_error)();` should also be `or die(mysql_error());`, but as others have mentioned, using `mysql_error` is not a good idea. – breen Jul 08 '12 at 00:01
I removed `mysql_error` but still no luck. – Colby Aley Jul 08 '12 at 00:03
For clarification, how does that line look now? – breen Jul 08 '12 at 00:05

score 1 · Answer 3 · answered Jul 08 '12 at 00:15

1

$sql = mysql_query("SELECT * FROM users WHERE username = $username AND password = $password LIMIT 1") or die(mysql_error());

answered Jul 08 '12 at 00:15

William Isted

11,641
4
30
45

500 error on PHP page

3 Answers3