$review = 'CREATE TABLE `' . $business_id . '` (
q1 VARCHAR( 150 ) NOT NULL,
q2 SMALLINT( 3 ) DEFAULT 0 NOT NULL,
q3 SMALLINT( 3 ) DEFAULT 0 NOT NULL,
q4 SMALLINT( 3 ) DEFAULT 0 NOT NULL
)'; 

There are two things to notice here. One, the concatenation of the variable into the string, using the period (.) to do so. You can find more information on that in the String [us2.php.net] documentation.

The other thing to note, which is actually pretty important, is the prime character(`) that I've added around the table name. This escapes the table name in MySQL just in case you happen to use a reserved word [dev.mysql.com] for the table name. While this isn't suggested, it can and does happen so we add the escape character in there just in case :)

One last note about security. One, you definitely want to know that this variable is going to contain something you want it to contain. I don't know how you are setting this up, but you still want to make sure. This can be checking it against an array of potential names, or whatever. As long as someone isn't injecting data into the variable when you aren't aware of it you'll be fine. With that being said, make sure that you don't have register globals turned on in your php.ini config file. This can lead to other potential attacks if you don't initialize the $business_id variable before you use it in your query. Just a few things you should look into to be more safe :)

Good luck

I appreciate the extra info, very helpful. Regarding security, i follow you, the variable used for the table name is pulled from an auto-incremented field in another table