I think the variable name in PHP is case sensitive, in the posted code, there are two id variables with different case
$id = null;
$ID = mysqli_real_escape_string($conn, $_GET['id']);
The first one (
$id
) was being assigned a null value and being used in the query, which I think it should be
$ID
$sql = "SELECT * FROM freshwater WHERE id='$id' ";
And the code might be vulnerable to SQL injection and XSS attacks.
PHP MySQLi Prepared Statements Tutorial to Prevent SQL Injection[
^]
Example of SQL Injection and Cross site Scripting (XSS) attacks:
SQL Injection and Cross-Site Scripting[
^]