Originally Posted by Old Pedant
The % here is a mistake:
AND orders.OrderID = '" . $_GET['order'] . "%'
Also the '...' around $_GET['order'] is a mistake if ORDERID is always a number.
Plus you need to "sanitize" the $_GET value, to prevent SQL injection.
I figured it out before this. But thanks anyways.