mysql - Update column value based on PHP variable which is equal to a column name -

mysql - Update column value based on PHP variable which is equal to a column name -

$rating =  mysqli_real_escape_string($conn,$_post['rating']); $id = mysqli_real_escape_string($conn,$_post['id']); mysqli_query($conn,"update table set $rating=$rating+1 id='$id'");

is there way update column based on php variable $rating? $rating column name.

also, may prone security risks etc, i'd know if way go it.

yes can use variable name field name in sql. must validate first before putting sql string. since not field value, cannot "quote" it.

$rating =  $_post['rating']; // define list of valid "rating" db field names here $valid_fields = array('rating_a', 'rating_b', 'rating_c');  if (in_array($rating, $valid_fields)) {     $id = mysqli_real_escape_string($conn,$_post['id']);     mysqli_query($conn,"update table set $rating=$rating+1 id='$id'"); }

Comments