ORDER BY php

lands

WHAT IS WRONG WITH THIS CODE? as you can see im ordering how to display info, for example if they click order by id, it will have the link.php?order=id&by=ASC but when i do that it shows the info as it would normally and not by any order

$start_from = ($page-1) * 50;
$order=$GET['order'];
$by=$GET['by'];

$result = mysql_query("SELECT * FROM members ORDER BY '$order' '$by' LIMIT $start_from, 50");

laserlight

Single quotes are used to quote strings in SQL. You want to quote a column name, and you should not be quoting ASC or DESC. The standard way to quote column names in SQL is to use double quotes, but in the case of MySQL you may have to use backticks (`) instead.

Also, as-is your code would be vulnerable to SQL injection. You should validate that the provided column name is indeed a valid column name, and that the provided ordering orientation is indeed either ASC or DESC. (mysql_real_escape_string would be wrong here precisely because you are not dealing with SQL strings here.)