PHP ajax call is executed but returns 500

Question

When I'm running the following ajax call, after clicking the button with id removeAttachment, and data attribute "data-recordid", the script executes the PHP script accordingly, but still the server responds with an error code 500. This results in not finishing the ajax call.

JS

$('#removeAttachment').on("click", function(e){
   e.preventDefault();
   var recordid = $(this).data('recordid');
    if(confirm("Weet je zeker dat je deze bijlage wilt verwijderen?")){
        $.ajax({
            type: 'POST',
            url: ('/functions/maintenance_functions.php?action=removeAttachment'),
            data: {recordId: recordid},
            cache: false,
            success: function(data,status) {
                $('#currentAttachment').hide();
                $('#record_table').bootstrapTable('refresh');
            }
        })
    }
});

PHP - Please note that the php script contains various "actions" which are called by other ajax queries (and are working without a problem!)

if($action=="removeAttachment" && isset($_POST['recordId']) && get_maintequipmentrecord_info($_POST['recordId'],"equipment_id")==$_SESSION['active_maint_equipment'] && can_super_access($page)==true){

$attachment = get_maintequipmentrecord_info($_POST['recordId'],"attachment");
$attachment_file = $_SERVER['DOCUMENT_ROOT']."/_files/maintenance/attachments/".$attachment;

if($attachment!='' && file_exists($attachment_file)) {
    unlink($attachment_file);
}

$stmt = $connect->prepare("UPDATE maintenance_records SET attachment=NULL WHERE record_id=?");
$stmt->bind_param("si", $_POST['recordID']);
$stmt->execute();
$stmt->close();

}

Unfortunately i really can't find what the issue is, as the PHP script and attached functions are executed accordingly (the file is removed from the server, and the database field is set to NULL. Anyone a clue? Thanks!

Edit 12/9/17 Updated the JS at the data part. Also updated the PHP code for inserting the data into MySQL, in order to prevent SQL injections. Many thanks for the comments on that! But still, the script returns an error 500. The PHP log shows the following:

[12-Sep-2017 21:04:45 Europe/Berlin] PHP Warning: >mysqli_stmt::bind_param(): Number of elements in type definition string >doesn't match number of bind variables in >/Applications/MAMP/htdocs/functions/maintenance_functions.php on line $ [12-Sep-2017 21:04:45 Europe/Berlin] PHP Stack trace: [12-Sep-2017 21:04:45 Europe/Berlin] PHP 1. {main}() >/Applications/MAMP/htdocs/functions/maintenance_functions.php:0 [12-Sep-2017 21:04:45 Europe/Berlin] PHP 2. mysqli_stmt->bind_param() >/Applications/MAMP/htdocs/functions/maintenance_functions.php:104

Still, the file is deleted from the server, so apparently it can execute some part of the code! But the value is not deleted from the database, but i can't see what's wrong in the SQL query. FYI, the application is running on a local webserver (nginx + mysql), which will always be disconnected from the internet.

Look at your web server's error logs for a more detailed explanation. — Jay Blanchard, Sep 11 '17 at 12:55
[Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)*** Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! — Jay Blanchard, Sep 11 '17 at 12:55
Could be a few things - unable to delete the file, malformed sql query etc — cstruter, Sep 11 '17 at 12:59
`mysqli_error()` needs a connection passed as the argument. Best bet to find the error is to look at your logs. — Qirel, Sep 11 '17 at 13:00
[Have you watched the AJAX request / response in the browser's developer tools? Have you included the jQuery library in the project? Are there any errors reported? Are you running this on a web-server?](http://jayblanchard.net/basics_of_jquery_ajax.html) — Jay Blanchard, Sep 11 '17 at 13:03
Make use of the object structure when passing data through AJAX (`{key: value}`). — Script47, Sep 11 '17 at 13:05
The script is running on a local webserver, disconnected from the internet (therefore not so worried yet at SQL injections but yeah i will have a look to improve this soon. Passed the connection to mysqli_error() but this didn't solve it. The error i get is a result from the dev tools from my browser (either safari or Chrome)... — Jan-Willem, Sep 11 '17 at 13:14
So I've updated to prepared statements now, many thanks for your comments @JayBlanchard. But still, unfortunately, it's not working. Updated the code and question — Jan-Willem, Sep 12 '17 at 19:31

score 0 · Answer 1 · answered Sep 12 '17 at 19:33

0

You only need one identifier here:

$stmt->bind_param("si", $_POST['recordID']);

should be :

$stmt->bind_param("i", $_POST['recordID']); // you don't have two elements

You get a mismatch because you identify two elements "si" but only have one variable. Since that variable is an integer, remove the s, leaving it "i".

answered Sep 12 '17 at 19:33

Jay Blanchard

34,243
16
77
119

Many thanks, it wasn't the solution, but your comments at least improved my code! – Jan-Willem Sep 12 '17 at 20:18

score 0 · Answer 2 · answered Sep 12 '17 at 20:20

Solved the issue. Very stupid of mine but there was a small error in the lines above this code (which still doesn't make me understand why a part of the code was working and another part not...) But anyhow, some of your improvements really improved the code :)

PHP ajax call is executed but returns 500

2 Answers2