HTTP 500 Error in PHP script

Question

i'm having an 500 error with my register.php file. I have no clue why... I tried some php validator website but they don't help me alot. xd

Here is the code:

register.php:

<?php
require('connect.php');
// If the values are posted, insert them into the database.
if (isset($_POST['username']) && isset($_POST['password'])) {
    $username = $_POST['username'];
      $email = $_POST['email'];
    $password = $_POST['password'];
            $premium = "false";
            $ip = $_SERVER['HTTP_X_FORWARDED_FOR']?: $_SERVER['HTTP_CLIENT_IP']?: $_SERVER['REMOTE_ADDR'];
            $countrycodeget = json_decode(file_get_contents("https://ipinfo.io/{$ip}"));
            $countrycode = $countrycodeget->country;
            $active = "1"
            $query = "INSERT INTO `user` (username, password, email, premium, ip, countrycode, active) VALUES ('$username', '$password', '$email',         '$premium', '$ip', '$countrycode', '$active')";
        $result = mysqli_query($connection, $query);
        if ($result) {
            $smsg = "Your account has been created.";
        } else {
            $fmsg ="An error occured, please try again later.";
        }
    }
?>

connect.php:

<?php
$connection = mysqli_connect('localhost', 'xxxx', 'xxxx', 'xxxx');
if (!$connection){
die("Database Connection Failed" . mysqli_error($connection));
}
$select_db = mysqli_select_db($connection, 'test');
if (!$select_db){
    die("Database Selection Failed" . mysqli_error($connection));
}
?>

Answer 1

You do have at least one syntax error here:

 $active = "1"

There's no semicolon at the end of the line.

But next time, you should specify:

• the exact text of the 500 error you're getting (in this case it might have been "Syntax error at line..." which would have be an enormous help)
• the error in the php_error log, or in the Apache error log, if available

In a pinch, you can get your PHP file analyzed by the command line PHP without involving any validator site:

php -l name/of/your/file.php

Debugging

So you got:

Warning: mysqli_connect(): (HY000/1044): Access denied for user     'admin'@'localhost' to database 'account' in /dir/account/connect.php on line 2 

PHP Warning: mysqli_error() expects parameter 1 to be mysqli, boolean given in /dir/account/connect.php on line 4 

The second warning is due to the fact that you passed $connection without checking it to be a valid resource. So:

$connection = mysqli_connect(...);
if (!is_resource($connection)) {
    die("Connection error"); // And you cannot use $connection.
}

The first warning is from MySQL:

Warning: mysqli_connect(): (HY000/1044): Access denied for user     'admin'@'localhost' to database 'account' in /dir/

Apparently the user admin has no access rights to the account database.

You need an administrator account to log onto MySQL server, and when you're there:

GRANT ALL PRIVILEGES ON account.* TO 'admin'@'localhost' IDENTIFIED BY 'password';
FLUSH PRIVILEGES;

The first command grants access, and the second command makes it stick. Notice the 'localhost': that's where the server believes that your connection comes from.

You strongly want to give the access host to the exact same host MySQL told you it saw you come from. Even if you believe that it makes no difference, it does (or it might do, and why risk?).

On some systems, even if localhost is widely regarded as a synonym for (say) 127.0.0.1, using the wrong one will make the connection fail (this is actually truer for MySQL, where localhost is not a synonym for 127.0.0.1; but it holds for other sites, where webserver.mydomain.net resolved to x.y.z.k, and yet using x.y.z.k would not work if MySQL server saw you come from webserver.mydomain.net).

Danger Will Robinson!

You have a further problem in your code: you take two values from the user, do not check them, and insert them in your database.

Suppose then that I register me a "bobby" account with this password:

LittleBobbyTables', (SELECT password FROM user WHERE username = 'admin'), '...',...) -- '

Your INSERT query becomes now:

INSERT INTO `user` (username, password, email, ...
VALUES ('bobby', 'LittleBobbyTables', (SELECT password FROM user WHERE username = 'admin'), '...',...) -- ', rest of the old code

The account is now created, its password is LittleBobbyTables, and its email is now the password of the admin user.

Hashing the password is not a real solution (even if some people have claimed this), because I can run the same attack on the email field, or even the user field, and recover the hashed password which, if not salted, 95% of the times will allow me to find out what the admin password is. But more to the point, if you don't protect the login page, I'm willing to bet that all the other pages interfacing with the database will be open even wider (on some systems, I could lock out the administrator and gain access for myself by sending an information query from the "contact us" page).

So you want to read this, this, and even this.

Answer 2

Update your register.php with the below code

   <?php
    require('connect.php');
    // If the values are posted, insert them into the database.
    if (isset($_POST['username']) && isset($_POST['password'])) {
        $username = $_POST['username'];
          $email = $_POST['email'];
        $password = $_POST['password'];
                $premium = "false";
                $ip = $_SERVER['HTTP_X_FORWARDED_FOR']?: $_SERVER['HTTP_CLIENT_IP']?: $_SERVER['REMOTE_ADDR'];
                $countrycodeget = json_decode(file_get_contents("https://ipinfo.io/{$ip}"));
                $countrycode = $countrycodeget->country;
                $active = "1";
                $query = "INSERT INTO `user` (username, password, email, premium, ip, countrycode, active) VALUES ('$username', '$password', '$email',         '$premium', '$ip', '$countrycode', '$active')";
            $result = mysqli_query($connection, $query);
            if ($result) {
                $smsg = "Votre compte à bien été créé.";
            } else {
                $fmsg ="Une erreur s'est produite, ré-essayer plus tard.";
            }
        }
    ?>

Answer 3

This line is missing a ; on the end:

 $active = "1"

If not that, look at your Apache/http server logs for errors.