Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

Ligonsker's avatar

Dynamic model declaration VS using Query Builder

I want to get the model or table name from the request and then update some values on some rows in that table.

I can either do it dynamically with Eloquent:

$model_name = $request->model_name;
$namespaced_model = "\App\Models\" . $model_name;
$instance = $namedspaced_model::find($id);
$instance->value1 = "new_value1";
$instance->value2 = "new_value2";
$instance->save();

or I can use it with Query Builder and update:

$row = DB::table($request->table_name)->where('id', '=', $id)
->update(['value1' => 'new_value1', 'value2' => 'new_value2']);

I lean towards the first one (with the Eloquent) in my specific code because of how it was written, can I use it and it will be OK?

I just never used it dynamically like so and I want to know if that's alright

0 likes
6 replies
kokoshneta's avatar

In either case, you’ll probably want to add some safety checks for existing models and tables. If someone sends along table_name=svbywb or model_name=avbyewibw in a request, your current code would fail with an SQL error – unless you just magically happen to have a table called svbywb or a model called Avbyewibw.

Other than that, the two approaches are fairly equivalent. Your first approach needlessly fetches a model instance, updates a few fields and then saves it (so two database queries) instead of just updating. This would do the same, but with just one query:

$model = "\App\Models\{$request->model_name}";
$model::where('id', $id)->update(['v1' => 'new1', 'v2' => 'new2']);

Notice how, if you do it that way, the only difference between the two approaches is whether you use DB::table($request->table_name) or the implicitly called $model::query() to create the actual query builder. As soon as you have the builder, the rest is exactly the same.

1 like
Ligonsker's avatar

@kokoshneta That's great, I think I will use that with less queries, thank you! By the way, can you read my comment to @martinbean's comment? Now I feel I'm doing something wrong?

martinbean's avatar

@ligonsker Letting a user update any table and their columns is a horrific idea from a security standpoint. Why on earth would you want to allow this?

1 like
Ligonsker's avatar

@martinbean The app is made of many tables - each table is also a table on the DB and each user has certain permission to view or edit this table.

These are data tables, not tables like users table or tokens table, these tables are the app basically - they users need to update the data on them

So I have many routes - each route represents a table, and each table has a corresponding model:

myapp/tables/table1 
myapp/tables/table2
myapp/tables/table3

and I want to either get the table name from the URL, or just put it as a hidden input when creating the blade so that I submit the table name back when I need to update it

But after what you said I'm concerned - how else would I let users do that if that's the point of the app? Of course there is a lot of backend validation to make sure the data is correct. But maybe I should do it completely different?

kokoshneta's avatar

@Ligonsker I think Martin’s point was that you didn’t show anything about permissions. Checking if a specific user has permission to update specific columns in a specific table and then updating those columns accordingly is fine, but you should of course not just allow any user to update anything they want in any table they like.

So data validation is key here. For that reason, the hidden input field is probably easier for you than the URL approach, because then you can just validate that along with the rest of the data using standard validation.

1 like
Ligonsker's avatar

@kokoshneta Oh then yes, in this case I do all the necessary validation and permission checking, and yes, I will choose the hidden input method, thank you!

Please or to participate in this conversation.