Error 500 when using variables to instert to SQL database

Question

I got this code, and it gives me an error 500. I probaly got something wrong here, but i really need some help.

Here's my code

<?php include('index.php'); ?>
<?php include('config.php'); ?>
<?php
$fornavn = $_POST['fornavn'];
$efternavn = $_POST['efternavn'];
$postnummer = $_POST['postnummer'];
$alder = $_POST['alder'];

$sql = INSERT INTO medlemmer (fornavn, efternavn, postnummer, alder)
VALUES ('$fornavn', '$efternavn', '$postnummer', '$alder');

if ($conn->query($sql) === TRUE) {
    echo "New record created successfully";
} else {
    echo "Error: " . $sql . "<br>" . $conn->error;
}

$conn->close();
?>

The POST tag is the same in index.php and so. Please help. Thanks in advance!

Try `error_reporting(E_ALL);` and `ini_set('display_errors',1)` and you'll get your error — Narendrasingh Sisodia, Aug 31 '17 at 08:56
"500 Internal Server Error" (or a blank page) means your script is throwing an error but PHP is configured to hide it from you. You need to fix it ASAP because coding without the aid of error messages is hard. As quick start, you can set the `error_reporting` and `display_errors` directives in your computer's system-wide `php.ini` file ([details here](http://stackoverflow.com/a/5680885/13508)). Errors thumb rule: show in development, log in production. — Álvaro González, Aug 31 '17 at 08:57
Your code is vulnerable to SQL injection attacks. You should use parameterised queries and prepared statements to help prevent attackers from compromising your database by using malicious input values. http://bobby-tables.com/ gives an explanation of the risks, as well as some examples of how to write your queries safely using PHP / mysqli. — ADyson, Aug 31 '17 at 09:08
The obvious error though is that your SQL string isn't in double quotes. PHP tries to parse it as PHP, which it isn't, and chucks an error, which you'd see if you turned on error reporting, and even better, added error logging facilities to your application. — ADyson, Aug 31 '17 at 09:09

B. Desai · Accepted Answer · 2017-08-31T09:07:41.090

You need to put your query in string "" first

<?php include('index.php'); ?>
<?php include('config.php'); ?>
<?php
$fornavn = $_POST['fornavn'];
$efternavn = $_POST['efternavn'];
$postnummer = $_POST['postnummer'];
$alder = $_POST['alder'];

$sql = "INSERT INTO medlemmer (fornavn, efternavn, postnummer, alder)
VALUES ('$fornavn', '$efternavn', '$postnummer', '$alder');";

if ($conn->query($sql) === TRUE) {
    echo "New record created successfully";
} else {
    echo "Error: " . $sql . "<br>" . $conn->error;
}

$conn->close();
?>

Also use prepared statement to prevent from sql injection

Turn PHP error ON so that you can get errors. Add following line in your PHP file

ini_set('display_errors',1);
error_reporting(E_ALL);

score 1 · Answer 2 · answered Aug 31 '17 at 08:59

to first see any more possible errors, as it may help to find the problem type this at the beginning:

ini_set('display_errors', 1);
ini_set('display_startup_errors', 1);
error_reporting(E_ALL);

Personally as I always used "" around the SQL-Query, and I see you haven't done it, maybe you should add them too so make it:

$sql = "INSERT INTO medlemmer (fornavn, efternavn, postnummer, alder)VALUES 
('$fornavn', '$efternavn', '$postnummer', '$alder')";

Also I assume $conn is defined in your config.php?

score 1 · Answer 3 · answered Aug 31 '17 at 08:59

As mentioned in comments first make sure you have error reporting enabled error_reporting(E_ALL); and ini_set('display_errors',1).

Also look at this SQL query string which hasn't been wrapped in quotes.

$sql = INSERT INTO medlemmer (fornavn, efternavn, postnummer, alder)
VALUES ('$fornavn', '$efternavn', '$postnummer', '$alder');

Should be

$sql = "INSERT INTO medlemmer (fornavn, efternavn, postnummer, alder)
VALUES ('$fornavn', '$efternavn', '$postnummer', '$alder')";

Error 500 when using variables to instert to SQL database

3 Answers3