Wrong:
Code:
. ' ORDER BY \'' . $stat_id . '\' DESC '
Right:
Code:
. ' ORDER BY `'' . $stat_id . '` DESC '
Those characters I changed to are BACK TICKS. The ` character usually shares the keyboard key with the ~ tilde character.
I am *assuming* that $stat_id is supposed to be the
name of an existing field (a.k.a. "column", though that's a misnomer) in the table.
And if that is so, then THIS line is also a mistake:
Code:
$stat_id = mysql_real_escape_string($_GET['STAT_ID']);
you do *NOT* want to escape a field name the same way you would a text data item.
Unless you have field names that include spaces or other non-standard characters, I wouldn't use
Code:
stripslashes($_GET['STAT_ID']);
either. Almost surely all you want to do is verify that $_GET['STAT_ID'] contains no characters other than letters, digits, and maybe underlines (if you use underlines in your field names). If not, simply reject the entire request, because then STAT_ID can't possibly be a valid field name.
Tell you what, give me a list of *ALL* the field names in your
batters_career_stats table and we will rewrite this simpler.