Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1n59lS-0003Hz-6p for pgsql-interfaces@arkaria.postgresql.org; Wed, 05 Jan 2022 17:07:54 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.92) (envelope-from ) id 1n59lQ-0003DJ-3L for pgsql-interfaces@arkaria.postgresql.org; Wed, 05 Jan 2022 17:07:52 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1n59lP-0003D9-SP for pgsql-interfaces@lists.postgresql.org; Wed, 05 Jan 2022 17:07:51 +0000 Received: from sss.pgh.pa.us ([66.207.139.130]) by magus.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1n59lN-0002fk-Ry for pgsql-interfaces@lists.postgresql.org; Wed, 05 Jan 2022 17:07:51 +0000 Received: from sss1.sss.pgh.pa.us (localhost [127.0.0.1]) by sss.pgh.pa.us (8.15.2/8.15.2) with ESMTP id 205H7lPK303862; Wed, 5 Jan 2022 12:07:47 -0500 From: Tom Lane To: Les cc: pgsql-interfaces@lists.postgresql.org Subject: Re: psycopg3 - parameters cannot be used for DDL commands? In-reply-to: References: Comments: In-reply-to Les message dated "Wed, 05 Jan 2022 17:42:31 +0100" MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <303860.1641402467.1@sss.pgh.pa.us> Date: Wed, 05 Jan 2022 12:07:47 -0500 Message-ID: <303861.1641402467@sss.pgh.pa.us> List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk Les writes: > PostgreSQL server log: > 2022-01-05 17:35:25.831 CET [58] ERROR: syntax error at or near "$1" at > character 35 > 2022-01-05 17:35:25.831 CET [58] STATEMENT: ALTER USER postgres WITH > PASSWORD $1 Yeah, as a general rule parameters can only be used in DML commands (SELECT/INSERT/UPDATE/DELETE). Utility commands don't support them because they don't have expression-evaluation capability. (Perhaps this will change someday, but don't hold your breath.) > Passwords can also contain special characters. If I can't use parameters to > do this, then how should I quote them in a safe way? Most client libraries should have a function to convert an arbitrary string into a safely-quoted SQL literal that you can embed into the command. I don't know psycopg3, so I don't know what it has for that. regards, tom lane