-2

All, I have the following query in PHP:

$music_choice = $_POST['music_choice'];
$qryupdate = "Update event_details set ".$music_choice."='$song_id' where user_id='$_SESSION[oml_user_id]'";

I'm basically trying to pass in the variable of the column that I'd like to update. I can't get it so that it displays the variable as the column name instead of the variable.

Any ideas on how to do this? Thanks!

user1048676
  • 9,756
  • 26
  • 83
  • 120
  • When you echo `$music_choice` or `$_POST['music_choice']` do you have a value? When you echo the value of `$qryupdate` do you get a valid query? We're not seeing all of the code, so that's the only question I can ask. – jcmeloni Feb 08 '12 at 02:04
  • 1
    `displays the variable as the column name instead of the variable` can you explain this alittle better. I'm not sure what you're asking. – Paul Dessert Feb 08 '12 at 02:05
  • Do you mean `music_choice` is the column name? – xdazz Feb 08 '12 at 02:05
  • 1
    See demo: http://codepad.org/RWMA5ftq What's wrong? Also please read: http://stackoverflow.com/search?q=sql+injection – Wesley Murch Feb 08 '12 at 02:09
  • 1
    Can you give the url of the site, I have some interesting $_POST['music_choice'] Values I would like to try (Read on SQL injection). Also, echo your variables before u use them. – Itay Moav -Malimovka Feb 08 '12 at 02:10
  • 1
    @ItayMoav Ah so you are also a fan of the punkband "user_id=$myuserid; --" – Eugen Rieck Feb 08 '12 at 02:13
  • @EugenRieck: Aren't they on tour with `id='0';DROP TABLE event_details;--` ? – Wesley Murch Feb 08 '12 at 02:19
  • @ItayMoav I didn't show the part with the mysql_real_escape_string but would that prevent the SQL injections? – user1048676 Feb 08 '12 at 02:19
  • @Madmartigan they wanted to, but turns out a clause in the mysql_query() - contract barred them from doing two acts on one evening – Eugen Rieck Feb 08 '12 at 02:23

1 Answers1

0

I'm not sure I undestand your question...

$music_choice = $_POST['music_choice'];
$qryupdate = "Update event_details set ".$music_choice."='$song_id' where user_id='".$_SESSION['oml_user_id']."'";
echo $qryupdate;

btw THIS IS NOT GOOD PROGRAMMING because you should escape your variables before insert them in a SQL query using function like http://php.net/manual/en/function.mysql-real-escape-string.php

Alberto
  • 2,881
  • 7
  • 35
  • 66