Trying to build a dynamic PHP mysql_query string to update a row and getting back the updated row

I have a form that jQuery tracks the onChage .change() event so when something is changed it runs a ajax request and i pass in the column, id, and the values in the url.

Here i have the PHP code that should update the data.

My question is now how do i build the mySQl string dynamically. and how do i echo back the changes/updates that where just changed on the db.

Here is the PHP code i am trying to work with.

<?php require_once('Connections/connect.php'); ?>

 <?php  
    $id = $_G开发者_运维百科ET['id'];
    $collumn = $_GET['collumn'];
    $val = $_GET['val'];
 ?>


<?php 
    mysql_select_db($myDB, $connection);

  // here i try to build the query string and pass in the passed in values
   $sqlUpdate = 'UPDATE `plProducts`.`allPens` SET `$collumn` = '$val' WHERE `allPens`.`prodId` = '$id' LIMIT 1;';

  // here i want to echo back the updated row (or the updated data) 
  $seeResults = mysql_query($sqlUpdate, $connection);
  echo  $seeResults
?>

is this example OK?

$sqlUpdate = 'UPDATE `plProducts`.`allPens` SET "{$collumn}" = "{$val}" WHERE `allPens`.`prodId` = "{$id}"LIMIT 1;';

Use the string concatenation operator ..

$sqlUpdate = 'UPDATE `plProducts`.`allPens` SET `' . $collumn .'` = \'$val\' WHERE `allPens`.`prodId` = '. $id . ' LIMIT 1;';
mysql_query(mysql_escape_string($sqlUpdate));

Of course, this presents a whole plethora of SQL injection loopholes.