The variables below are passed into itemdetails2.php <a href=\"itemdetails2.php?id=". $content['id'] ."&platename=".$content['platename']."\"> PHP: In itemdetails2.php I pull the variables from the url making available through out the whole script in itemdetails2.php by: <?php $shoename = $_GET['platename']; $id = (int)$_GET['id']; if( $id === 0) { exit('ID can only be an integer'); } ?> PHP: After I make it available through out the whole script in itemdetails2.php I want to build a sql injection that takes the value of the variable $shoename and put it inside the OutputRating method parameter below <?php $ratingData = Rating::OutputRating('paul'); if (Error::HasErrors()) { echo Error::ShowErrorMessages(); Error::ClearErrors(); } else { echo $ratingData; } ?> PHP: Notice in the parameter it says paul instead of paul I want it to contain the shoename variable value in the url. <?php $shoename = $_GET['platename']; $id = (int)$_GET['id']; if( $id === 0) { exit('ID can only be an integer'); } ?> <?php $ratingData = Rating::OutputRating('$shoename'); if (Error::HasErrors()) { echo Error::ShowErrorMessages(); Error::ClearErrors(); } else { echo $ratingData; } ?> PHP: is that correct to put $shoename variable in there just like I did in the last embed script?