Why am I getting a HTTP 500 error?

Question

I've just finished off this form and I'm trying to get it to work but the server throws a 500 error at me. I don't have access to the server logs and I've looked on here.

I've checked for smart quotes and replaced the ones I could find. I've uploaded it again and I can't work out why it's still throwing this at me.

<?php
    $host = "localhost";
    $user = "username";
    $password = "password";
    $dbname = "database";
    $conn = mysqli_connect($host, $user, $password, $dbname);

    if(!$conn){
        die("Connection failed: " . mysqli_connect_error());
    } ?>

<?php

    $studentID = intval($_POST['studentID']);
    $fname = $_POST['fname'];
    $fname = mysql_real_escape_string($fname);
    $lname = $_POST['lname'];
    $lname = mysql_real_escape_string($lname);

    if($studentID != "")
    {
        if(($fname != "") && ($lname != "")) {
            $sql = "SELECT * FROM Student WHERE StudentID = $studentID AND FirstName = $fname AND LastName = $lname";
        }
        else if ($fname != "") {
            $sql = "SELECT * FROM Student WHERE StudentID = $studentID AND FirstName = $fname";
        }
        else if ($lname != "") {
            $sql = "SELECT * FROM Student WHERE StudentID = $studentID AND LastName = $lname";
        }
        else {
            $sql = "SELECT * FROM Student WHERE StudentID = $studentID";
        }
    }
    else if($fname != "")
    {
        if($lname != ""){
            $sql = "SELECT * FROM Student WHERE FirstName = $fname AND LastName = $lname";
        }
        else {
            $sql = "SELECT * FROM Student WHERE FirstName = $fname";
        }
    }
    else if($lname != "")
    {
        $sql = "SELECT * FROM Student WHERE LastName = $lname";
    }
    else {
        echo "<p>There is no query to submit</p>";
    }

    $result = mysqli_query($conn, $sql);

    if(mysqli_num_rows($result) > 0){
        echo "<table><tr><th>Student ID</th><th>First Name</th><th>Last Name</th><th>Unit 1</th><th>Unit 2</th><th>Unit 3</th><th>Unit 4</th></tr>";

        while($row = mysqli_fetch_assoc($result)){
            echo "<tr><td>" .$row["StudentID"]. "</td><td>" .$row["FirstName"]. "</td><td>" .$row["LastName"]. "</td><td>" .$row["Unit1"]. "</td><td>" .$row["Unit2"]. "</td><td>" .$row["Unit3"]. "</td><td>" .$row["Unit4"]. "</td></tr>";
        }

        echo "</table>"
    }
    else {
        echo "There are no results for your query.";
    }

    mysqli_close($conn);
 ?>

I've checked my console and everything to see if anything will show up there but I'm drawing a blank. Any help would be appreciated.

Answer 1

First of all you need to add php error_reporting() this will help you to find errors and warnings, but only for development environment not for production.

Second, very important, you need to use quotes around string values in your SQL Statements like:

$sql = "SELECT * FROM Student WHERE StudentID = $studentID AND FirstName = '$fname' AND LastName = '$lname'"; // same for other queries

Third, why are you mixing mysqli_* and mysql_* together? you need to use mysqli_real_escape_string() function here and you are using mysql_real_escape_string().

Fourth, Your code is still open for SQL Injection, you must need to prevent with SQL Attack, you can use prepared statements for this.

Five: i hope this is the typo error here echo "</table>" missing semicolon here.

---

Side Note:

Very Special point: note that mysql_* is deprecated and closed in PHP 7.

Answer 2

You are mixing mysqli_ with the deprecated/removed mysql_ extension. You should use mysqli_real_escape_string, or even better using bind variables. And as others have told if not using bind variables you have to be careful with quoting strings when creating a query