pg_query(): Query failed: ERROR: column doesnot exist

Question

i did follow the solution here : Warning: pg_query(): Query failed: ERROR: syntax error at or near but i still got the following error :

Warning: pg_query(): Query failed: ERROR: column "rosmoffi" does not exist LINE 1: ... FROM public."espece" where "espece"."Code_Espece" =Rosmoffi ^

this is my code :

$conn = pg_connect($conn_string);

$query = 'SELECT * FROM public."espece" where "espece"."Code_Espece" ='.$idd ;
if (!$result = pg_query($conn, $query)){
    echo  pg_result_error ($conn);
    return false;
}
$result = db($result); 
return $result;

Answer 1

$query = 'SELECT * FROM public."espece" where "espece"."Code_Espece" ='.$idd ;

Do not do this. If you were to output what you get here you'd see the error, as you should from the error message. Whatever is in the variable $idd will be put into the query as is and it will not be considered a string. It's just a part of the query. So since there are no quotes it will in this case be understood as a column name.

The worst part of this is that if $idd is coming from the user think what will happen when someone sets it to 1; truncate table espece. Or something worse. Learn how to use parameters immediately.

Using parameters your code would be:

$query = 'SELECT * FROM public."espece" where "espece"."Code_Espece" =$1';
if (!$result = pg_query_params($conn, $query, array($idd))){

This way the variable is given properly to the database and there is no injection vulnerability.

NB! For those who keep saying the double quotes should be removed, no. They should not. If the column name is capitalized as Code_Espece then PostgreSQL will not recognize it without the quotes. Capitalization is usually not recommended.