My PHP file contains the following function. It works when I set the review column to '$review'
and the IdUser
to 2. But I need to have the IdUser
set to the variable $user
. What is the correct syntax to set IdUser
to the variable instead of a constant? (preferably in a way that avoids SQL injection attacks).
function addRatings2($review, $user) {
//try to insert a new row in the "ratings" table with the given UserID
$result = query("UPDATE ratings SET review ='$review' WHERE IdUser = 2 order by dateTime desc limit 1");
}