-2

As part of a larger system, I have a piece of PHP code embedded in a web page to insert values into a database. However, it's returning a completely blank HTML page.

<?php
$mysqli = new mysqli("thing", "stuff", "morestuff", "otherstuff");
if ($mysqli->connect_errno) {
    echo "Failed to connect to MySQL: (" . $mysqli->connect_errno . ") " . $mysqli->connect_error;
}

$Name1 = $_POST['forename'];
$Name2 = $_POST['surname'];
$Email = $_POST['email'];
$Admin = $_POST['admin'];
$Pass = "password";

flag = 0;
$User = $Name1;

if (flag == 0) {
    $SQLQuery2 = "INSERT INTO
Table1 (Forename, Surname, Admin, EmailAddress, Username, Password)
VALUES ('$Name1', '$Name2', '$Admin', '$Email', '$User', '$Pass');";
    $mysqli->($SQLQuery2);
    $contents = '<h1>User creation successful</h1>';}
else {$contents = '<h1>Error: Email address already in use.</h1>';}
?>
<html>
<head>
<title>Add User</title>
</head>
<body>
<?php
echo $contents;
?>
</body>
</html>

I've cut it down to this from the full system, and (although it's obviously not got the real connection details) the connection details are not the issue, as I'm using an identical SQL connection method elsewhere in my system, with identical details, and it works fine. All the post values are passed in correctly as well.

I've checked the semi-colons at least half a dozen times, and I don't have a clue what the issue could be. Could someone please help?

Edit: I've changed flag to $flag now, but I still have the same error. I've included

error_reporting(-1);
ini_set("display_errors", 1);

in the file right under <?php but it's not doing anything.

Second edit: The other main issue was that mysqli->($SQLQuery2) should be mysqli->query($SQLQuery2). I've fixed it and it's working now.

Dakeyras
  • 1,829
  • 5
  • 26
  • 33
  • You are **wide open** to SQL injection attacks, and **you will be hacked** if you haven't been already. Use prepared/parameterized queries to avoid this problem entirely. It may very well be where your error is. Also, check your error logs to see what the error message is. – Brad Mar 20 '14 at 19:42
  • Your code is vulnerable to mysql injection, learn more here http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php – Fabio Mar 20 '14 at 19:42
  • 3
    Check your error logs and/or activate error reporting. – deceze Mar 20 '14 at 19:43
  • 4
    white page of death, error reporting\display are off, turn them on `error_reporting(E_ALL); ini_set('display_errors', 1);` –  Mar 20 '14 at 19:43
  • Some might argue that the naming convention you use isn't standard. What is flag = 0 anyway ;) – J A Mar 20 '14 at 19:43
  • @Brad Vis-a-vis SQL injection, I haven't added validation yet. I'm planning on having a layer of JS validation, and also some SQL validation on top of that to sanitize my data. – Dakeyras Mar 20 '14 at 19:44
  • possible duplicate of [Reference - What does this error mean in PHP?](http://stackoverflow.com/questions/12769982/reference-what-does-this-error-mean-in-php) – deceze Mar 20 '14 at 19:45
  • 1
    @Dakeyras If you think validation has anything to do with SQL injection, you're lacking a fundamental understanding of the problem. Parameterized queries separate the data from the command, preventing the two from ever crossing that boundary. Without at least escaping of data, you could have data that is ambiguous between the data and command causing errors. You really need to fix this before moving on. – Brad Mar 20 '14 at 19:46
  • 1
    @Dakeyras Let me caution you against the "I'll add it later" approach to security. Best to consider it from the start to avoid potentially re-writing or re-factoring significant portions of code later on when you finally get around to securing your application. – Mike Brant Mar 20 '14 at 19:46
  • @Dakeyras JS validation is useless vis-a-vis security, validation is the wrong approach. See [The Great Escapism (Or: What You Need To Know To Work With Text Within Text)](http://kunststube.net/escapism/). – deceze Mar 20 '14 at 19:46

2 Answers2

6

Get a better editor:

flag = 0;
...
if (flag == 0) {

$flag = 0;
...
if ($flag == 0) {

Also, if you run php -l file.php it will check for errors.

Also, while developing:

error_reporting(E_ALL);
ini_set('display_errors', '1');
AbraCadaver
  • 78,200
  • 7
  • 66
  • 87
  • Thanks! Where do I turn error reporting on? Is it just in the file? And if so, is it within the PHP tags? – Dakeyras Mar 20 '14 at 19:50
  • @Dakeyras: What I posted would go in your PHP file. You can put it in a global include. If you are on a test server/workstation, then change in php.ini. – AbraCadaver Mar 20 '14 at 19:53
  • I've fixed the `flag`, but it still doesn't work and the error reporting isn't active either. – Dakeyras Mar 20 '14 at 20:01
1

It is because you have errors in your code, and PHP is configured to not show you the errors.

Open your php.ini file. You can find the file by using this command:

php -r "echo php_ini_loaded_file();"

Change to these values:

error_reporting = -1
display_errors = 1

Save the file and restart your server.

Edit: You can turn on errors from inside a PHP file, by putting the following at the top of your script:

error_reporting(-1);
ini_set("display_errors", 1);

You can also install a server on your own computer. The XAMPP library is quite easy to install and use.

Sverri M. Olsen
  • 13,055
  • 3
  • 36
  • 52
  • I don't have my own server, I'm using some space on my school's. Is there another way to turn error reporting on? – Dakeyras Mar 20 '14 at 19:52