Quite basic SQL injection question

[Alexandre De Dommelin <adedommelin () tuxz net>]

Hi all,

I'm evaluating PHP/Mysql code and I found a problem, in the following code :
<?php
$query="
SELECT *
FROM table1 m JOIN table2 t
$condition
ORDER BY m.field1, t.field2
";
$db->query($query);
?>

I'm able to inject everything I want into $condition, but I can't manage to
make the ORDER clause to be ignored (using -- /* ...), which leads to an sql
error.
I'm sure it's quite stupid but I have to admit that i'm stucked ...

Do you have an idea ?

Bests,

Alex

Attachment: signature.asc
Description: Digital signature