将值存储在来自 PHP 中 Postgres SQL 查询的变量中

Question

I have a variable from input:

$local1 = $_REQUEST['local1'];

I have tried this:

 $latitude1 = pg_query($db, "SELECT latitude FROM local_publico WHERE nome=$local1;");
 val1 = pg_fetch_result($latitude1, 0, 0);

Being that the query returns aa row with a single column. However, whenever I try to use the variable $val1 , it doesn't work, even a simple echo() .

New to SQL, I appreciate any kind of help!

Answer 1

This should work:

$local1 = $_REQUEST['local1'];
$latitude1 = pg_query($db, "SELECT latitude FROM local_publico WHERE nome=$local1;");
$val1 = pg_fetch_result($latitude1);

However, the above code is susceptible to SQL Injection. You should do something like this instead:

$local1 = $_REQUEST['local1'];
$result = pg_prepare($db, 'my_query', 'SELECT latitude FROM local_publico WHERE nome = $1');
$result = pg_execute($db, 'my_query', [$local1]);
$val1 = pg_fetch_result($result);

You can read more about SQL Injections here .