0

Im wondering if something like this is possible?

$joinguild = "UPDATE guild SET '.$rank.'='.$receiver.' WHERE name ='"$dupecheckinfo["guild"]"'";

Im trying to SET '.$rank.'='.$receiver.', but I dont know if I can use a variable where $rank is. Is there a proper way to write this. Is it even possible? If not how would you approach it? Thanks!

Here is my SQL table im working with

Edit: See how my table has Rank1 Rank2 Rank3 etc. Well I am passing the rank value that I want to set so for example 

$rank = $_POST["rank"];

$joinguild = "UPDATE guild SET '.$rank.'='.$username.' WHERE name ='"$dupecheckinfo["guild"]"'";
Cameron Roberson
  • 13
  • 7

3 Answers3

1

Your question in not clear but you have some problems in your PHP statement. I think you are trying to create your SQL UPDATE query using PHP variables.

Try this:

$joinguild = "UPDATE guild SET $rank='$receiver' WHERE name='" . $dupecheckinfo["guild"] . "'";

Here $rank should have valid column name in your table. Also read about SQL injection.

Naveed
  • 41,517
  • 32
  • 98
  • 131
0

Your question is quite unclear but to update records from a table you can use this line of code:

  $sql=mysqli_query($conn, "UPDATE `table` SET option1='$op1', option2='$op2', option3='$op3', option4='$op4' where id='$id'");

If this is unclear please let me know.

Best Bibek
  • 155
  • 2
  • 10
  • Thanks for the response, I want to know if its possible for SET option1='$op1' to be something like SET '$options'='$op1'. If so what would be the syntax for that. – Cameron Roberson Jan 20 '19 at 02:34
  • option1='$op1' to '$options'='$op1' ? It's still unclear, can you explain in detail again? – Best Bibek Jan 20 '19 at 02:39
  • Thanks for your help. I edited my description above. See how I am passing into the PHP script the $rank variable? I need to set that equal to another variable using SET. – Cameron Roberson Jan 20 '19 at 02:45
  • I am confused what you are actually trying to create with that script but there are some errors in your script, just use the one I've given above and replace the variable names with $rank and $receiver. – Best Bibek Jan 20 '19 at 03:02
0

Yes, you can use variables for table and field names in your queries. However, you should avoid it whenever possible, because it generally leads to SQL injection vulnerabilities. Instead of building queries with string concatenation, use prepared statements with bound parameters. See this page and this post for some good examples.

Unfortunately, the bind mechanism works only for values and not for table names or field names, so it's best to try avoiding variable table/field names. If you find that you absolutely must, the best approach would be to ensure that the contents of the variable matches with a pre-set whitelist of allowed table/field names.

Alex Howansky
  • 50,515
  • 8
  • 78
  • 98