How can I sort my sql query by changing variable?

Question

I have this

$order = $_POST['order'];
$query = mysql_query("select wins from $usertable where id='$id' ORDER BY '$order' DESC");

Now the $order echoes properly but the $query doesn't return anything after returning it properly. Can anyone help me understand why ?

Dont enclose your `mysql_query()` function in quotes. Also, escape your `$_POST` data. — Phil Cross, Feb 04 '14 at 18:20
**Warning:** You've create a classical security vulnerability which allows a hacker to do anything with your database he likes, including manipulating and deleting data. For details about what the mistake is and how to prevent it, inform yourself about [SQL Injections](http://php.net/manual/en/security.database.sql-injection.php). — Philipp, Feb 04 '14 at 18:23

score 1 · Accepted Answer · edited Feb 05 '14 at 15:13

1

Remove quotes from $id and $order variable

$query = mysql_query("select wins from $usertable where id=$id ORDER BY $order DESC");

It will work fine then.

edited Feb 05 '14 at 15:13

Aamir Shahzad

answered Feb 04 '14 at 18:34

score 0 · Answer 2 · answered Feb 04 '14 at 18:35

0

If $id or $order are intended to be numeric, it doesn't need to be in single quotes, just sanitized.

Replace your mysql_query with mysqli_query, as the former is deprecated. You also need to sanitize that post data to protect against injection.

answered Feb 04 '14 at 18:35

dsimer

score -1 · Answer 3 · answered Feb 04 '14 at 18:21

-1

try this

$query = mysql_query("select wins from $usertable where id='$id' ORDER BY '$order' DESC");

answered Feb 04 '14 at 18:21

user1844933

3 Answers3