phpmailer throwing a mysql error

Question

I am trying to use phpmailer to send out a newsletter, but I keep getting the following error every time I try to trigger it. I'm not sure if my sql syntax is correct or not ?

Warning: mysql_fetch_array() : supplied argument is not a valid MySQL result resource in view.html.php(38):eval()'d code on line 32

<?php
$formid = $_GET[token];
$templatequery = mysql_query("
    SELECT * 
    FROM hqfjt_chronoforms_data_addmailinglistmessage 
    WHERE cf_id = '$formid'"
) or die(mysql_error());

$templateData = mysql_fetch_object($templatequery);

$gasoiluserTemplate = $templateData->gasoilusers;
$dervuserTemplate = $templateData->dervusers;
$kerouserTemplate = $templateData->kerousers;
$templateMessage = $templateData->mailinglistgroupmessage;
?>  

<?php
require_once('./send/class.phpmailer.php');
//include("class.smtp.php"); // optional, gets called from within class.phpmailer.php if not already loaded
$mail = new PHPMailer(true); //defaults to using php "mail()"; the true param means it will throw exceptions on errors, which we need to catch

// $body = file_get_contents('contents.html');
$body = 'Dear Test this is a test.';
// $body = preg_replace('/\\\\/i', $body);

$mail->SetFrom('crea@cruiseit.co.uk', 'List manager');
$mail->AddReplyTo('crea@cruiseit.co.uk', 'List manager');

$mail->Subject = "Mailing List Test";

$query = "
    SELECT leadname,businessname,email 
FROM hqfjt_chronoforms_data_addupdatelead 
WHERE keromailinglist='$kerolist' 
    AND dervmailinglist='$dervlist' 
    AND gasoilmailinglist='$gasoillist'";
$result = @MYSQL_QUERY($query);

while ($row = mysql_fetch_array ($result)) {
    $mail->AltBody    = "To view the message, please use an HTML compatible email viewer!"; // optional, comment out and test
    $mail->MsgHTML($body);
    $mail->AddAddress($row["email"], $row["full_name"]);
    $mail->AddStringAttachment($row["photo"], "YourPhoto.jpg");

    if(!$mail->Send()) {
        echo "Mailer Error (" . str_replace("@", "&#64;", $row["email"]) . ') ' . $mail->ErrorInfo . '<br>';
    } else {
        echo "Message sent to :" . $row["full_name"] . ' (' . str_replace("@", "&#64;", $row["email"]) . ')<br>';
    }
    // Clear all addresses and attachments for next loop
    $mail->ClearAddresses();
    $mail->ClearAttachments();
}
?>

EDIT >>>>>>

I have now added the error checking, but now just get a blank page with no errors, but also no mail ?

            <?php

                   $formid = $_GET[token];
            $templatequery = mysql_query("SELECT * FROM hqfjt_chronoforms_data_addmailinglistmessage WHERE cf_id = '$formid'") or die(mysql_error());
            $templateData = mysql_fetch_object($templatequery);

            $gasoiluserTemplate = $templateData->gasoilusers;
            $dervuserTemplate = $templateData->dervusers;
            $kerouserTemplate = $templateData->kerousers;
            $templateMessage = $templateData->mailinglistgroupmessage;
                ?>  
                    <?php
            require_once('./send/class.phpmailer.php');
            //include("class.smtp.php"); // optional, gets called from within class.phpmailer.php if not already loaded

            $mail = new PHPMailer(true); //defaults to using php "mail()"; the true param means it will throw exceptions on errors, which we need to catch

            // $body                = file_get_contents('contents.html');

            $body = 'Dear Test this is a test.';

            // $body = preg_replace('/\\\\/i', $body);

            $mail->SetFrom('crea@cruiseit.co.uk', 'List manager');
            $mail->AddReplyTo('crea@cruiseit.co.uk', 'List manager');

            $mail->Subject       = "Mailing List Test";

            $query  = "SELECT leadname,businessname,email FROM hqfjt_chronoforms_data_addupdatelead WHERE keromailinglist='$kerolist' AND dervmailinglist='$dervlist' AND gasoilmailinglist='$gasoillist'";
            $result = mysql_query($query);

            // Bail out on error 
if (!$result)  
  { 
    trigger_error("Database error: ".mysql_error()." Query used was:     ".htmlentities($query), E_USER_ERROR); 
    die();
    }


            while ($row = mysql_fetch_array ($result)) {
              $mail->AltBody    = "To view the message, please use an HTML compatible email viewer!"; // optional, comment out and test
              $mail->MsgHTML($body);
              $mail->AddAddress($row["email"], $row["full_name"]);
              $mail->AddStringAttachment($row["photo"], "YourPhoto.jpg");

              if(!$mail->Send()) {
                echo "Mailer Error (" . str_replace("@", "&#64;", $row["email"]) . ') ' . $mail->ErrorInfo . '<br>';
              } else {
                echo "Message sent to :" . $row["full_name"] . ' (' . str_replace("@", "&#64;", $row["email"]) . ')<br>';
              }
              // Clear all addresses and attachments for next loop
              $mail->ClearAddresses();
              $mail->ClearAttachments();
            }
            ?>

Answer 1

Your code it not doing any error checking, so it's no surprise the query breaks silently when it fails. Check for errors and it will tell you what is going wrong - how to do it is outlined in the manual on mysql_query() or in this reference question.. And remove the @ in front of mysql_query()! Example:

$result = mysql_query($query);

// Bail out on error 
if (!$result)  
  { 
    trigger_error("Database error: ".
                  mysql_error().
                  " Query used was: ".
                  htmlentities($query), E_USER_ERROR); 
    die();
   }

This will show you what goes wrong exactly, and what the final query looks like that is being used.

As a side note (and possibly, also the solution to your root cause) the code you show is vulnerable to SQL injection. This may be what is breaking your query.

You need to do mysql_real_escape_string() on all incoming values like so:

$formid = mysql_real_escape_string($_GET["token"]);

Answer 2

The @ before the function call is suppressing the error that should tell you what's going on.