500 error adding gold to pouch in MySQL database

Question

My goal is that the player visiting this page receives +2 gold in their pouch and that the information ends up into the MySQL database.

I have asked a friend who is somewhat more experienced in PHP to look at the code and she tells me everything should work just fine. The problem however is that when I visit the page a server 500 error is shown. The column named gold is also present in the database and all other code snippets do work on other pages. Needless to say I am very curious on what's causing the trouble.

I will post the code below. If things are still unclear please don't hesitate to mention:

<?php
// Initialize the session
session_start();
 
// Check if the user is logged in, if not then redirect him to login page
if(!isset($_SESSION["loggedin"]) || $_SESSION["loggedin"] !== true){
    header("location: login.php");
    exit;
}
?>
 
<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>De stad Allalhill</title>
    <link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/bootstrap/4.5.2/css/bootstrap.min.css">
    <style>
        body{ font: 14px sans-serif; text-align: center; }
    </style>
</head>
<body>
    <h1 class="my-5">Hoi, <b><?php echo htmlspecialchars($_SESSION["username"]); ?></b>. Welkom in Allalhill in het Mystieke Bosland.</h1>
    <p>
        <a href="welcome.php" class="btn btn-warning">Home</a>
        <a href="logout.php" class="btn btn-danger ml-3">Sign Out of Your Account</a>
    </p>
<br>

<br>
je zoekt naar goud en vind 2 goudstukken. <br>
<?php
require_once 'config.php';
$query = 'UPDATE users SET gold +=2 WHERE username = "$_session['username']"';
?>
<br>
<?php
require_once 'allalhill_square2.php';
?>
<br>
</body>
</html>

Hi Mike. I've done a bit of editing on your question. Around here folks like it when questions skip the greetings and get right to the meaty technical stuff. I'll admit it makes things a bit more rigid (and perhaps less friendly), but it's just a norm that's developed over the years. I hope it's okay with you that I trimmed down the introduction. If not feel free to roll back my edit. — John Kugelman, Oct 18 '21 at 00:27
1) you should enable display error in php so that you know what went wrong. 2) You should be using prepared statements with parameters if you pass input to an sql query. 3) Your sql query is not executed, at least the execution code is not in the code you copied into your question. 4) There is a syntax error in your sql code as mysql does not have `+=` operator to increment a value. — Shadow, Oct 18 '21 at 00:44

score -1 · Answer 1 · answered Oct 18 '21 at 00:47

Welcome to the coding world, :)

you need to escape everything that goes into the database:

$query = "UPDATE users SET gold=gold+2 WHERE username = '" . mysqli_real_escape_string($db, $_session['username']) . "'";

PS: And you should not mix HTML & PHP & SQL into one file, but I am sure you will learn that in the future.

500 error adding gold to pouch in MySQL database

1 Answers1