Thanks for the security issue. Iam aware of the risks. I wll deal will security later. Its not such a big issue here as the site is hosted internally and the most genius Hackers would be Teachers who dont know anything about computers lol.
The other variable needs the quotes as it is selecting the value of the variable 'GroupID' from the database field named GroupID. It's a bit confusing as the database field name is the same as the name of the variable. It is best to make sure that they are different. For example, if you were to rename the variable as 'InputGroup' and set a value for this as 'ABC' your query (strSQL) would read:
strSQL = "SELECT DISTINCT Student_ID, PHOTO, surname, forename, GroupID, Staff_code FROM aSelAllStudentByClass WHERE GroupID='" & InputGroup & "' ORDER BY " & order & ";"
This would give an SQL query of:
SELECT DISTINCT Student_ID, PHOTO, surname, forename, GroupID, Staff_code FROM aSelAllStudentByClass WHERE GroupID='ABC' ORDER BY Student_ID ASC;
Note the quotes around the value 'ABC' and none around the field name Student_ID.