1

I am trying to do a simple POST that is done via ajax. The Ajax call seems to work, but returns with a 500 error.

Code:

if(isset($_POST['name']) && isset($_POST['password']))
{
$sql = "SELECT * FROM kandidaat WHERE name = '".$_POST['name']."' AND password = '".$_POST['password']."' LIMIT 1;";
$conn= mysqli_connect("localhost", "user", "pw", "db")
or die(mysqli_error("error connecting to database"));
$result = $conn->query($sql);
$resultset = new Array();
if ($result->num_rows > 0) {
    $resultset = $result;
    session_start();
    $_SESSION['login_user']= $_POST['name'];
} else {
    $resultset = "0";
}
}
?>

The connection is made correctly, I have tested that before.

Kraishan
  • 443
  • 5
  • 14
  • 38
  • 2
    You have now posted your credentials to a public QA site and exposed yourself to hacking. Have you checked your error logs? – Jay Blanchard Feb 13 '17 at 20:44
  • 1
    [Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)*** Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! [Don't believe it?](http://stackoverflow.com/q/38297105/1011527) – Jay Blanchard Feb 13 '17 at 20:47
  • 1
    **Never store plain text passwords!** Please use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). Make sure you ***[don't escape passwords](http://stackoverflow.com/q/36628418/1011527)*** or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. – Jay Blanchard Feb 13 '17 at 20:47
  • 4
    whoa, question changed significantly from the original post – cmorrissey Feb 13 '17 at 20:47
  • Sorry for this radical change. And thanks for the headsup! Getting real tired here, been trying to perform a basic action for hours. So I finally made the right connection (after clearing my cache). Right now I seem to get a error 500 (internal server error) with this code, but I don't get any syntax errors. – Kraishan Feb 13 '17 at 20:48
  • Look in your error logs what the error message is – Andy Feb 13 '17 at 20:49
  • Check your error logs for a better explanation of the 500 error. – Jay Blanchard Feb 13 '17 at 20:49
  • 1
    `mysqli_error("error connecting to database")` is incorrect, you can use `mysqli_error($conn)` – cmorrissey Feb 13 '17 at 20:50
  • I don't have an error log because I am doing this per ajax call. – Kraishan Feb 13 '17 at 20:53
  • 3
    An error will/should be getting logged on the server though which will give you more information – Andy Feb 13 '17 at 20:54
  • There is always an error log on the server. PHP logs every error regardless of how it is called. – Jay Blanchard Feb 13 '17 at 20:57

1 Answers1

3

There are multiple things to note in this piece of code.

  1. mysqli_error("error connecting to database") is wrong, that function takes the connection as an argument, not a string.
  2. You should use mysqli_connect_error() for checking for connection-errors, not mysqli_error()
  3. You should add error_reporting(E_ALL); ini_set('display_errors', 1); at the top of your file, so you can find the actual errors.
  4. You should take advantage of using prepared statements in your queries, specially those containing PHP variables/user input.
  5. Unless you've got an Array class, you don't initialize a new array with new Array(), but just $resultset = array();
  6. Some proper indention makes the code easier to read.
  7. Don't store your passwords in plain-text! This is not secure at all! PHP has built-in functions which you should use to handle storing of passwords, see the password_hash() function which is a lot more secure!

With these improvements, the code should work - unless there are other errors not visible to us. In any case, it would be easier to figure out what's not working. You should also read up on, and implement points 4 and 7.

error_reporting(E_ALL); 
ini_set('display_errors', 1);
if(isset($_POST['name']) && isset($_POST['password']))
{
    $sql = "SELECT * FROM kandidaat WHERE name = '".$_POST['name']."' AND password = '".$_POST['password']."' LIMIT 1;";
    $conn = mysqli_connect("localhost", "user", "pw", "db") or die(mysqli_connect_error());
    if ($result = $conn->query($sql)) {
        $resultset = array();
        if ($result->num_rows > 0) {
            $resultset = $result;
            session_start();
            $_SESSION['login_user']= $_POST['name'];
        } else {
            $resultset = "0";
        }
    } else {
        echo "Query failed: ".mysqli_error($conn);
    }
}
?>

Note: You shouldn't display errors on your live site, just while in development. Errors can be used to find vulnerabilities and exploit your code.

Readingmaterial

Community
  • 1
  • 1
Qirel
  • 25,449
  • 7
  • 45
  • 62