What's wrong in my sorting method (AJAX, PHP&MySQL)

Question

Hi i am building software download site. and need to sort software through drop down menu i have gone through w3Schools example (see here) for sorting data through AJAX and made some changes according to my requirement and it is not working properly, when i choose to sort data from picking any category it shows me whole data from database without sorting it respective to category selected to sort.

what i am doing wrong

Please help.

HTML

    <form>
<select name="users" onchange="showUser(this.value)">
<option value="">Select a person:</option>
<option value="id">id</option>
<option value="title">title</option>
<option value="image">image</option>
<option value="description">description</option>
<option value="description">rating</option>
<option value="download">download</option>
<option value="buy">buy</option>
</select>
</form>
<br />
<div id="txtHint">content</div>   

Javascript(AJAX)

    <script type="text/javascript">
function showUser(str)
{
if (str=="")
  {
  document.getElementById("txtHint").innerHTML="";
  return;
  }
if (window.XMLHttpRequest)
  {// code for IE7+, Firefox, Chrome, Opera, Safari
  xmlhttp=new XMLHttpRequest();
  }
else
  {// code for IE6, IE5
  xmlhttp=new ActiveXObject("Microsoft.XMLHTTP");
  }
xmlhttp.onreadystatechange=function()
  {
  if (xmlhttp.readyState==4 && xmlhttp.status==200)
    {
    document.getElementById("txtHint").innerHTML=xmlhttp.responseText;
    }
  }
xmlhttp.open("GET","getuser.php?q="+str,true);
xmlhttp.send();
}

PHP

    <?php
$q=$_GET["q"];

$con = mysql_connect('localhost', 'root', '');
if (!$con)
  {
  die('Could not connect: ' . mysql_error());
  }

mysql_select_db("security_software", $con);

$sql="SELECT * FROM internet_security ORDER by '".$q."' DESC" ;


$result = mysql_query($sql);

echo "<table border='1'>
<tr>
<th>id</th>
<th>title</th>
<th>image</th>
<th>description</th>
<th>rating</th>
<th>download</th>
<th>buy</th>
</tr>";

while($row = mysql_fetch_array($result))
  {
  echo "<tr>";
  echo "<td>" . $row['id'] . "</td>";
  echo "<td>" . $row['title'] . "</td>";
  echo "<td>" . $row['image'] . "</td>";
  echo "<td>" . $row['description'] . "</td>";
  echo "<td>" . $row['rating'] . "</td>";
  echo "<td>" . $row['download'] . "</td>";
  echo "<td>" . $row['buy'] . "</td>";
  echo "</tr>";
  }
echo "</table>";

mysql_close($con);
?> 

Answer 1

The PHP can't be working because you are using single quotes in the ORDER BY clause. This won't order them by the specified field because you're passing a string.

Try backticks:

$sql="SELECT * FROM internet_security ORDER by `".$q."` DESC" ;

I also recommend using a whitelist of values for the order by clause because it is a field name, you don't want to allow any string in there (even if it has been through real_escape). Set an array of possible values and only allow those.

Answer 2

Try using mysql_fetch_assoc(), instead of mysql_fetch_array().

If that fails try to print $result if it holds any value, then try using mysql_num_rows to determine if your query is executing properly.

As what i can see everything in your code is correct, though my brain is not a compiler so it's best for you to trap your errors properly. :)