Passing javascript variable into PHP and making mysql query

I've the following script (taken from a large script) saved as example3.php:

<script type="text/javascript">
var layer;

//where layer is a table like 
------------------------------------
BUSNAME       +    Category    +
------------------------------------
200 Bay       +   Restaurant   +
201 Bay       +   Bank         +
202 Bay       +   School       +
203 Bay       +   Restaurant   +
204 Bay       +   School       +
205 Bay       +   Restaurant   +
206 Bay       +   Restaurant   +
207 Bay       +   School       +
208 开发者_如何转开发Bay       +   Restaurant   +
209 Bay       +   Restaurant   +
------------------------------------

window.location.href = "example3.php?layer="+ layer;

<?php
  //Make a MySQL Connection
  $query = "SELECT Category, COUNT(BUSNAME) 
    FROM ".$_GET['layer']." GROUP BY Category"; 
  $result = mysql_query($query) or die(mysql_error());
  //Print out result
  while($row = mysql_fetch_array($result)){
    echo "There are ".$row['COUNT(BUSNAME)']. " " .$row['Category']. "items.";
  echo "<br/>";
  }
?>

</script>

Don't no why it is not working. Any suggestion must be appreciated.

---

if you have dynamical table name, your database design is wrong

as for your script, it just makes no sense.

make in in 2 parts: JS page and PHP page. and call this PHP page with window.location.href

---

I suggest JSON-encoding the table on the client side (in JS). Use POST to send it, then decode it on the server side (in PHP).

Most popular JS libraries do have JSON-encoding functions, the PHP function is called json_decode.

---

As Balus pointed out, watch out for SQL Injection. When you reach the php page, does the $_GET['layer'] equals something?

Does your javascript variable equals something? var layer = "layer

"layer" being the actual name for the table inside of your database.

---

EDIT

In this context mysql_real_escape_string() does not work.

$layer = mysql_real_escape_string($_GET['layer']);
$query = "SELECT Category, COUNT(BUSNAME) 
FROM `".$layer."` GROUP BY Category"; <<-- this doesn't work.

Because mysql_real_escape_string does not escape backticks `

With values it does work

You need to run each and every value you get with $_GET though mysql_real_escape_string(). (or use PDO's)
On top of that every value that you put into a query you need to enclose with single quotes '.

$value = mysql_real_escape_string($_GET['fieldname']);
$query = "SELECT * FROM test WHERE f1 = '".$value."'"; <<-- this works
                                        ^          ^

Links:
SQL-injection attack: How does the SQL injection from the "Bobby Tables" XKCD comic work?
PDO's: mysqli or PDO - what are the pros and cons?

Will update as soon as I find a fix your your particular SQL-injection problem.