Just try this and see what happens:
// Put that $_GET into a variable
$parentcat = $_GET['cat'];
// Echo it out so that you can see precisely whats in that variable
echo("Cat: " . $parentcat);
$r = mysql_query("select * from sub_category where ((parent_Category='$parentcat') AND (sub_Active='1')) order by sub_Id DESC");
Now, what I've done there, is move that GET into a variable, and we are outputting that variable to the screen so we know exactly whats in there (if there are any characters that could be throwing it up). You obviously wont do that in a production environment, but it can be useful just to test when something has gone wrong, so remove it completely after you know whats up.
Then using '' around your variables in your query.
This SQL is NOT secure though, you need to do as cups has said and escape that variable, but put the GET into a variable and escape it from there, NOT directly in the query.
The reason you want to put it into a variable is because you will want to validate that whatever is put in is what you would expect to be put in, the escape will help prevent against SQL Injection, but there are other things you want to protect against, you should always validate/cleanse incoming variables properly.