There’s two separate problems here:
- You have code that causes an error.
- That error is exposing information to end users that you don’t want to expose.
The problem that’s causing #2 is that you have error printing enabled in a production environment, which is against best practice. Error reporting is controlled by a PHP configuration parameter. This doesn’t involve WordPress and your host should be able to help with this. However keep in mind that if you do not have a staging or testing environment you would be unaware of any errors that are occurring. So make sure that your errors are at least being logged somewhere that you can check.
The problem that’s causing #1 in the first place is that your site’s code is apparently taking the value of the pubid parameter and putting it directly into an SQL query. This is a major security problem. I cannot understate the severity of this issue. If this is a production site you should remove the code that’s responsible for this feature immediately. If you don’t know how to do this, and if you have user’s personal data in your database, then you need to take your site offline.
In your example pubid is a number. Therefore in your code when you access $_GET['pubid'] you need to include code that makes sure that this value is a number. If it is not a number then you should not run the query at all. For example, using WordPress’s absint() function:
if ( ! isset( $_GET['pubid'] ) ) {
return;
}
$pubid = absint( $_GET['pubid'] );
if ( ! $pubid ) {
return;
}
// Perform query.
The important thing is that you should never accept external data and use it in an SQL query without first making sure that the value is safe and valid. Not doing so leaves you vulnerable to ‘SQL injection’ attacks.
In your query you should also be making using of $wpdb->prepare() to safely insert values into an SQL statement.