First problem I see is that you have the potential for a SQL Injection vulnerability by way you concatenate together your SQL command. How you should be doing this is by creating a prepared statement and then binding in a parameter.
Second item I see is an error there is no closing parenthesis in your subquery.
Third item I see is in your ORDER BY clause; the two items should be separated by the items are not separated by a comma
References:
PHP: mysqli::prepare - Manual[
^]
PHP: PDOStatement::bindParam - Manual[
^]