There are multiple problems here:
Code: Select all
$mailer = mysql_query("SELECT customer_information.email, customer_information.email_subject, customer_information.email_body FROM customer_information where sent_or_not_sent = '199'") or die (mysql_error());
while($user = @mysql_fetch_array($mailer)){
Don't use die() in production scripts, it's bad practice (I don't know they're so widely used in tutorials, if that's where you got the inspiration). Especially - don't print to the screen the mysql_error - you will be potentially exposing sensitive information. Instead, redirect to an error page and log the error on the server. If this script is never access directly than just log the error to the server.
Instead of killing the script with die(), use a conditional:
Code: Select all
if($mailer !== false) { //Check that the result is not false
while($user = @mysql_fetch_array($mailer)){
....
}
} else {
// redirect to the error page
}
Next, don't use the error suppression operator. If an error happens, you want to know about it. Remove the @ from the while loop:
Code: Select all
while($user = @mysql_fetch_array($mailer)){
After that, make sure to use quotes when accessing associate array indexes:
Code: Select all
$to=$user['email'];
$subject=$user['email_subject'];
$body=$user['email_body'];
PHP recognizes it without the quotes but issues an E_NOTICE error. If you aren't seeing those notices, you should set your error reporting to a higher level, they are important.
Also, if you are only using the associative indexes, use mysql_fetch_assoc() instead (mysql_fetch_array also fetches the numberical indexes).
The last thing is that make sure that those value that come from the database don't contain code that could be injected to your scripts. For example, multiple email address separated by commas might be stored in the email column. This should probably be handled in the script that inserts the data to the database.