Unknown column '$memebr_id' in 'where clause'

Hello everyone!

I have a quick question and I'm hoping someone here will be able to lend a hand! When a user registers on my website they are taken to xxx[dot]com/send_activation_mail.php?member=$memebr_id so that the system may send them an activation e-mail. However, users get this error when they arrive at the page: Error 1003 : Unknown column '$memebr_id' in 'where clause'

Clearly, the word member is misspelled. I've tried checking the send_activation_mail.php page and I'm not seeing this in there. I've tried checking other pages as well. When I checked out the database, I see "member_id" in there. Just for fun, I tried changing "member_id" to "memebr_id" thinking that maybe it would resolve the issue... oddly enough, the error code changed to "Error 1003 : Unknown column '$MEMBER_ID' in 'where clause.'

I'm really not sure what to do here! Any advice/recommendations would be appreciated.

 

I have a few guesses, but it would be easier if you could just post your code.

 

Sorry about that! I've pasted the code below.

Thank you for your help!

<?php
    require_once ('./Class/DataBase.class.php');
    require_once ('./Class/Authentication.class.php');
    require_once ('./Class/Mail.class.php');
    require_once ('./Class/Settings.class.php');

    $dbcon = new DataBase();
    $auth = new Authentication(false);
   
    if (isset($_GET['member'])) $member_id = $_GET['member'];
    else header("Location: error_page.php?msg=document not found");
?>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
    <title>XXX</title>
<?php require_once('Template/common_includes.php') ?>
</head>

<body>
<?php require_once('Template/template_top.php') ?>
                    <div class="left">
<?php
    try
    {
        $sql = "SELECT FIRST_NAME, LAST_NAME, EMAIL, CONF_KEY, STATUS FROM MEMBER WHERE MEMBER_ID = $member_id";
        $result = $dbcon->executeQuery($sql);    
       
        if (mysql_num_rows($result) > 0)
        {
            $row = mysql_fetch_row($result);
           
            if ($row[4] == 1)
            {
                //sending the mail
                $mail = new Mail();
                $member_name = $row[0] . " " . $row[1];
                $message = Settings::emailConfirmation($member_id, $member_name, $row[3]);
                $mail->setSubject("XXX - Account Activation Required");
                $mail->setMessage($message);
                $mail->setRecipientsTo(array(array($row[2], $member_name)));
               
                if($mail->sendMessage() == 0){
?>
                    <h1>Sending Failed!</h1>
<?php
                }else{
?>
                    <h1>Thank you for registering!</h1>
                    <br />
                    <br />
                    <p>
                        An activation email has been sent to:
                    </p>
                    <br />
                    <div class="round-a-gray">
                        <div class="inner_div"> 
                            <p>
                                <strong><?php echo $row[2] ?></strong>
                            </p>
                        </div>
                    </div>
                    <br />
                    <br />
                    <p>
                        Please check your inbox and click on the link provided in order to verify your email address.
                    </p>
                    <br />
                    <br />
<?php
                }
            }
            else
            {
                header("Location: index.php");
            }
        }
        else
        {
            header("Location: index.php");
        }
    }
    catch (Exception $e)
    {
        echo $e->getMessage();
    }
?>
                        <p>
                            Click <a href="send_activation_mail.php?member=<?php echo $member_id ?>">here</a> to resend the e-mail.
                           </p>
                    </div>
                    <div class="right">
<?php require_once('Template/right_column.php') ?>                       
                    </div>
<?php require_once('Template/template_bottom.php') ?>

Code (markup):

 

The issue here is that the final SQL you have will look something like:

SELECT FIRST_NAME, LAST_NAME, EMAIL, CONF_KEY, STATUS FROM MEMBER WHERE MEMBER_ID = $member_id

Code (markup):

Which will fail, since $member_id will be treated as a column (since it is not escaped). I am pretty sure that the url you are making is in single quotes, so $member_id is convereted to a string and not the actual number:

$url = 'xxx[dot]com/send_activation_mail.php?member=$memebr_id';

// Should be
$url = "xxx[dot]com/send_activation_mail.php?member=$memebr_id";

Code (markup):

Additionally, you should always escape your SQL params (or use parametized queries instead). So do:

$sql = "SELECT `FIRST_NAME`, `LAST_NAME`, `EMAIL`, `CONF_KEY`, `STATUS` FROM MEMBER WHERE `MEMBER_ID` = '$member_id'";

Code (markup):

Also if you are not going to be using parametrized queries, the least you can do is typecast the variables used:

if (isset($_GET['member'])) $member_id = (int) $_GET['member'];

Code (markup):

 

Thank you for your help! Your recommendations resolved the problem. I didn't code this site - it was done by someone else about 6 or 7 years ago. It seems to be riddled with errors and I'm not really familiar enough with PHP and MySQL to tackle all of them. I appreciate you taking the time to lend a hand! Thanks again.

 

I would recommend getting someone in to redo at least the database connections and - queries. If the rest of the site looks like that, it's riddled with security problems, which will come back and bite you, if this site is publicly available online.