Possible answers are:
1. always escape strings you use to fetch records from database
2. trust users, don't trust on what they type
For example:
what could happen if you have a page wich displays information based on an ID?
Code:
$sql = "SELECT * FROM table WHERE idrecord = $id_passed_from_post_or_get;";
Now, imagine some user tries to access this page with:
Code:
http://www.example.com/index.php?id=unexpected_sql_statement_here
With that sql statement, _anything_ can happen to your server.
Oh, by the way, for your "HTTP/1.0 500 Internal Server Error" check the server logs. Probably you will see an SQL error there.
Miguel