Banappeal.php

[Tom8001]

Hello, i am currently working on my forum for a minecraft server and am trying to code a banappeal submission form but when i run the code i get a 500 internal error and wanted to post my code here since I might have totally misunderstood the logic i am still fairly new to it all. And i was told not to use

if($_SERVER['REQUEST_METHOD'] == "POST") {

Does anyone know the reason for this?

<?php

require('con.php');

if($_SERVER['REQUEST_METHOD'] == "POST") {

		$user = htmlentities($_POST['mineuser'], ENT_QUOTES);
		$forumuser = htmlentities($_POST['forumuser'], ENT_QUOTES);
		$reason = htmlentities($_POST['text'], ENT_QUOTES);
	
		$stmt = $con->prepare("INSERT INTO banappeal (mineuser, forumuser, reason) VALUES (?, ?, ?)");
		$stmt->bindparam("sss", $user, $forumuser, $reason);
		
		$user = htmlentities($_POST['mineuser'], ENT_QUOTES);
		$forumuser = htmlentities($_POST['forumuser'], ENT_QUOTES);
		$reason = htmlentities($_POST['text'], ENT_QUOTES);
		
		$result = $con->prepare("SELECT mineuser FROM banappeal VALUES(?)");
		$result->bindParam("s", $user);
		$user = htmlentities($_POST['mineuser'], ENT_QUOTES);
		
		$result->execute();
		$stmt->execute();
		
		if(mysqli_num_rows($result != 0)) {
			echo "An appeal has already been made for the user ".$user." and cannot be appealed more than once. If you wish to appeal again then please contact the server admin.";
		}
		
		if($stmt === "TRUE") {
			echo "Your appeal for user ".$user." has been submitted and is under review.";
			
		} else {
			echo "There was an error while processing your request. Please try again later.";
		}
		
		exit();
}

?>

[requinix]

A 500 is often a syntax error, but could be all sorts of things. What does your server error log say?

 

And i was told not to use

if($_SERVER['REQUEST_METHOD'] == "POST") {

Does anyone know the reason for this?

 

Not me. Context? Source?

[mac_gyver]

i'm thinking you are getting a fatal run-time error due to the incorrect usage of prepared query statement objects in your code.

 

1) do you have php's error_reporting set to E_ALL and display_errors set to ON, preferably in the php.ini on your development system, so that php will help you by reporting and displaying all the errors it detects? if the http 500 error is due to a php error, this will cause the php errors to be displayed.

 

2) are you making use of the php.net documentation to learn what the statements you are using do and what value they return? your logic - if(mysqli_num_rows($result != 0)) {  and  if($stmt === "TRUE") {  are basically nonsense that won't work or do anything useful.

 

some other problems - 

 

1) htmlentities() is an output function. it is only used on values you output on a web page. it is not used on values being put into sql query statements and you have repeated a block of code twice.

 

2) your SELECT query syntax is invalid. are you making use of the msyql database server documentation to learn how to write queries?

 

3) if your goal is to only insert a single ban appeal for any user, wouldn't your program logic need to do that? you have some (non-working) logic outputting a message if there is already an appeal for the submitted user, but you are unconditionally executing the INSERT query. this will INSERT a row every time the code gets executed and even if you fix the current program logic so that it does what you want, there's a race condition if there are multiple concurrent requests (think of someone hitting the submit button more than once) that would insert multiple rows of data.

 

also, shouldn't you only accept and process a ban appeal if the user is banned?

 

to fix the race condition problem and greatly simplify the logic you have, you need to set the mineuser column to be a unique index in your database table. then, all you need to do (one query) is try to insert the data and detect if the query throws a unique index error. if you get to this point, someone can post an example showing how to use exceptions and a try/catch block to do this in your logic.

 

4) your form processing code needs to validate the input data before using it. what happens if any of the values are empty? should you still run the rest of the code or setup and output validation error messages to the user?

Edited July 26, 2017 by mac_gyver

[jbrown1028]

Just throwing something out there to check... file permissions 644? file owner of con.php or this file? Just grabbing strings here...

[Tom8001]

Yeah File Permissions are 0644 and my server log, 

[25-Jul-2017 18:10:27 UTC] PHP Fatal error:  Call to a member function bindParam() on string in /home/supernatural/public_html/forum/banappeal.php on line 16
[25-Jul-2017 18:14:15 UTC] PHP Fatal error:  Call to a member function bindParam() on string in /home/supernatural/public_html/forum/banappeal.php on line 16
[26-Jul-2017 12:39:50 UTC] PHP Fatal error:  Call to a member function bindParam() on string in /home/supernatural/public_html/forum/banappeal.php on line 16
[26-Jul-2017 12:52:54 UTC] PHP Warning:  mysqli::prepare(): Couldn't fetch mysqli in /home/supernatural/public_html/forum/banappeal.php on line 14
[26-Jul-2017 12:52:54 UTC] PHP Fatal error:  Call to a member function bindparam() on null in /home/supernatural/public_html/forum/banappeal.php on line 15
[26-Jul-2017 12:53:40 UTC] PHP Warning:  mysqli::prepare(): Couldn't fetch mysqli in /home/supernatural/public_html/forum/banappeal.php on line 11
[26-Jul-2017 12:53:40 UTC] PHP Fatal error:  Call to a member function bindparam() on null in /home/supernatural/public_html/forum/banappeal.php on line 12

 

 

also, shouldn't you only accept and process a ban appeal if the user is banned?

 

This is kind of a tricky one because the banned users are on my mine craft server which on a separate server host so i could copy the banned txt over to the web server but i would have to keep copying it everytime the file is updated.

Edited July 26, 2017 by Tom8001

[dalecosp]

Call to a member function bindParam() on string

See Mac_Gyver's first sentence (and really, the whole post) above. He called it precisely.

Edited July 26, 2017 by dalecosp

[mac_gyver]

only the last two pairs of errors seem to apply to the current code.

 

after experimenting to reproduce those errors, you have created a mysqli connection in $con, but you have closed that connection prior to this code (in general, you should just let php close them automatically when the script ends.) you are also trying to mix PDO statements, which would use bindparm(), with mysqli statements, which would use bind_param().

Edited July 27, 2017 by mac_gyver

[Jacques1]

I'm having a déjà vu.

 

You had almost the exact same broken code two years ago. Several people went through all the mistakes and explained in great detail how to solve them. For a while, you actually managed to write halfway correct PDO queries. And now you've somehow decided to unlearn everything and become a newbie again? That makes no sense.

 

Surely the correct PDO queries still exist somewhere in your project. Use those. Not the broken stuff you had before. The new queries. If you don't remember anything, then go through your old forum posts.

 

You also need to start thinking about the code you write. Right now, you seem to randomly combine syntax elements without any understanding of what the code actually means. This doesn't work.