First, never trust data from the user, so patch this:
$id = $_GET['customerID'];
With
$id = mysql_real_escape_string($_GET['customerID']);
It sanitizes your value (although it's not completely safe).
For your main problem,
if($id != 'order.customerID'){
order.customerID
is just a string. The correct way to check would be to execute the query first, then check if any rows have returned using mysql_num_rows(), if not display an error message else carry on.
$rs = mysql_query($sql, $conn) or die ('Problem with query' . mysql_error());
if($rs && mysql_num_rows($rs)>0){
//query success and rows returned
}
else
{
die('Invalid Customer ID entered');
}
Note:
Please, don't use mysql_*
functions in new code. They are no longer maintained and are officially deprecated. See the red box? Learn about prepared statements instead, and use PDO, or MySQLi - this article will help you decide which. If you choose PDO, here is a good tutorial.