PHP SQL query error message

I'm wo开发者_如何学编程rking on a tutorial and copied the code below exactly but I'm getting the following error message. Any ideas what's wrong with the syntax?

Database query failed: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'BY position ASC' at line 2

function get_pages_for_subject($subject_id, $public = true) {
            global $connection;
            $query = "SELECT * FROM pages WHERE subject_id = .$subject_id.";
            if ($public) {
                $query .= "AND visible = 1 ";
            }
            $query .= "ORDER BY position ASC";
            $page_set = mysql_query($query, $connection);
            confirm_query($page_set);
            return $page_set;
            }

---

You could have abstracted the PHP out of this, probably.

Printing $query will show you that $subject_id is probably not what you think it is. Also, where is your SQL Injection prevention?

---

Please enforce that $subject_id is an integer value or wrap it out with quotes:

$subject_id = (int)$subject_id; before your $query .= "WHERE subject_id = {$subject_id} ";

or

$query .= "WHERE subject_id = '{$subject_id}' ";

This should work. The issue is that $subject_id value is breaking out your query.

Small advice: Enforce some security here, you should prevent SQL injection scenarios.

---

You should backquote all your field names. like

`visible` = 1

ORDER BY `position`

And so on, to be sure nothing conflicts with a reserved MySQL word (I'm thinking about "position" which is a string function).