0

so I get internal server error 500 while trying to access the file with this code off. When I comment the line

$result = $conn->query("SELECT * FROM users WHERE username='$username'");

it's all okay then, but ofcourse I need this to make my code work. Can't find any mistakes in the code. Full code below.

<?php
include("assets/settings.php");
session_start();

$resp = array();

$username = $_POST["username"];
$password = $_POST["password"];

$resp['submitted_data'] = $_POST;

$login_status = 'invalid';

$result = $conn->query("SELECT * FROM users WHERE username='$username'");

if ($result->num_rows > 0) {
    $row = mysqli_fetch_assoc($result);
    if($row['password'] == md5($password)) {
        $login_status = 'success';
        $_SESSION["user"] = $row['id'];
    } else $login_status = 'success';
}
$login_status = 'success';
$resp['login_status'] = $login_status;

if($login_status == 'success')
{
    $resp['redirect_url'] = 'index.php';
}


echo json_encode($resp);
?>
Esteban Vasquez
  • 11
  • 1
  • 3
  • If you add some error handling you might get your script to tell you what's wrong instead of having to poke around at it trying to figure it out yourself. – JimL Dec 28 '17 at 08:30
  • Please use prepared and parameterized queries to avoid sql injection hacks. Inserting variables directly into sql query strings is a huge security problem. You shouldn't be using MD5 for passwords – JimL Dec 28 '17 at 08:30
  • 1
    **Warning:** Your code is SQL Injection vulnerable. Read how to prevent SQL injection here https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php – Wolen Dec 28 '17 at 08:31
  • Can you check $conn variable has a mysql connection – Deepak Kumar T P Dec 28 '17 at 08:32
  • share your settings.php code also... might be possible – Zeeshan Dec 28 '17 at 08:33
  • You do not specify what web server technology you are running in, or what kind of OS you're on, but I would guess Apache 2 on some kind of linux/debian system, so check your error_log (may be in various places depending on your system, it should contain details of what caused the 500 error. Most likely your `$conn` is not defined, so you are calling `query()` on an undefined variable. Look into your `settings.php`, I expect your database connection parameters (host, port, username, password, database, etc) are invalid and the error checking around this failure is poor to non existent. – Neek Dec 28 '17 at 08:34
  • there's settings.php @XeeShan `connect_error) { die("Connection failed: " . $conn->connect_error); } ?>` – Esteban Vasquez Dec 28 '17 at 08:36

1 Answers1

-1

Your querying need to be as follows

setting.php

  <?php 

     $servername = "localhost";
     $username = "user"; $password = "pass"; $database = "db"; 
     // Create connection 
     $conn = new mysqli($servername, $username, $password, $database); 
     // Check connection 
     if (mysqli_connect_errno()) { 
        die("Connection failed: " .  mysqli_connect_error());

     }

     ?>

Another file should be

<?php
    include("assets/settings.php");
    session_start();

    $resp = array();

    $username = $_POST["username"];
    $password = $_POST["password"];

    $resp['submitted_data'] = $_POST;

    $login_status = 'invalid';

    $result = mysqli_query( $conn ,"SELECT * FROM users WHERE username='$username'");

    if ($row = mysqli_fetch_assoc($result)) {
        if($row['password'] == md5($password)) {
            $login_status = 'success';
            $_SESSION["user"] = $row['id'];
        } else $login_status = 'success';
    }
    $login_status = 'success';
    $resp['login_status'] = $login_status;

    if($login_status == 'success')
    {
        $resp['redirect_url'] = 'index.php';
    }


    echo json_encode($resp);
    ?>

u have missed "mysqli_query"

$result = $conn->query("SELECT * FROM users WHERE username='$username'");

this need change to 

$result = mysqli_query( $conn ,"SELECT * FROM users WHERE username='$username'");
Mahesh Hegde
  • 1,131
  • 10
  • 12