Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1n5A05-0003o9-Fk for pgsql-interfaces@arkaria.postgresql.org; Wed, 05 Jan 2022 17:23:01 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.92) (envelope-from ) id 1n5A03-0002KR-IZ for pgsql-interfaces@arkaria.postgresql.org; Wed, 05 Jan 2022 17:22:59 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1n59x6-0000NN-3C for pgsql-interfaces@lists.postgresql.org; Wed, 05 Jan 2022 17:19:56 +0000 Received: from mail-ua1-x930.google.com ([2607:f8b0:4864:20::930]) by magus.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.92) (envelope-from ) id 1n59x4-0002l8-3J for pgsql-interfaces@lists.postgresql.org; Wed, 05 Jan 2022 17:19:55 +0000 Received: by mail-ua1-x930.google.com with SMTP id y4so13433439uad.1 for ; Wed, 05 Jan 2022 09:19:53 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=cGVx5aaucwKFlh2QuW7gTqEueOkJR1Ylgq1PnO4gkMw=; b=Wa9BMxTq6QEDj1zzg/8ONgiIq62NwHwqYDRPlzWaGLnDMqfarJbj+nDzJ2MyjKSFLw QD04yqVQnWQRj6l5FmOwSoaRClQNCom6Nnki+cci5pQQ04QlVsh/dF0Z/g5KDt95sEaT OD1k6Sgf+l4/YhF+16Ym3UiQOPfFgGVz+BuEx6IxrglVLwBn+kARxXpE5nx4MmlIz1AA nqr9Qf+4YJCYGoygpHIn35/hR8YzPEy8JyOoyqY68FHjTvVV8hw5XHucSHrrN4l7VggL /zk6RU9A+fQoKzKSkLWA6maRAdDo8Sx8+4JD0hIroAFLokTJfu9LR6tVsTH12IBnPUMI bCzA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=cGVx5aaucwKFlh2QuW7gTqEueOkJR1Ylgq1PnO4gkMw=; b=DNDz1AbP9dPjUhZHz3nBixYReGkSbmAWHDJTyQQszQzJcA8eOQXyB7+NE05bTCNWBi tPLB6Rrp9fRo/Ue1XitB8YPu97CHt2vNbyNOLnTkJ22eoQkEAsO20/iAkPj9+MNevdn6 FQSqr6HAe9IcSNkAtJL17XmX70edUWDcImpqs5ZFAUCUPUkeHk0J9McEmJ6j1aLzkKBa QkpGdSjs8MLMDUioh10D81dhwNkCd+utJtrTEZqfZl/88HCOSE1OUrmJ7BG/P6BSirZZ BtRUm/7D5hy5olzfV6gabk2fkZdvUg0J6EQyvi60e27v7ZCJlvRZuKgs/s7IzZCHnsSX XYmA== X-Gm-Message-State: AOAM5330LXT3xMJII10+AtlwtAQylbCEI7riQhnnZ0a9pwvGB9UCh7U8 a5t71KHvkBDCc6wRCEwbW6T+pE7HmlWir6/zQys= X-Google-Smtp-Source: ABdhPJxD69lIEiViQzZNp0Ql4ezZSv/82PPrdHi1TkQ4sWSGy5ahhuYydcTtSwnJ3hHyxQWvFzUgZy7+V/6+KDOFCqs= X-Received: by 2002:a05:6102:290d:: with SMTP id cz13mr5257059vsb.34.1641403192500; Wed, 05 Jan 2022 09:19:52 -0800 (PST) MIME-Version: 1.0 References: <303861.1641402467@sss.pgh.pa.us> In-Reply-To: <303861.1641402467@sss.pgh.pa.us> From: Dmitry Igrishin Date: Wed, 5 Jan 2022 20:20:36 +0300 Message-ID: Subject: Re: psycopg3 - parameters cannot be used for DDL commands? To: Tom Lane Cc: Les , pgsql-interfaces@lists.postgresql.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk =D1=81=D1=80, 5 =D1=8F=D0=BD=D0=B2. 2022 =D0=B3. =D0=B2 20:07, Tom Lane : > > Les writes: > > PostgreSQL server log: > > > 2022-01-05 17:35:25.831 CET [58] ERROR: syntax error at or near "$1" a= t > > character 35 > > 2022-01-05 17:35:25.831 CET [58] STATEMENT: ALTER USER postgres WITH > > PASSWORD $1 > > Yeah, as a general rule parameters can only be used in DML commands > (SELECT/INSERT/UPDATE/DELETE). Utility commands don't support them > because they don't have expression-evaluation capability. > > (Perhaps this will change someday, but don't hold your breath.) > > > Passwords can also contain special characters. If I can't use parameter= s to > > do this, then how should I quote them in a safe way? > > Most client libraries should have a function to convert an arbitrary > string into a safely-quoted SQL literal that you can embed into the > command. I don't know psycopg3, so I don't know what it has for that. My C++ library, - Pgfe, - can convert any named parameter into an arbitrary part of SQL expression by using Sql_string::replace() method. For example: update :foo could be replaced to update foo set bar =3D 'baz' where id =3D 1 by using s.replace("foo", R"(set bar=3D'baz' where id =3D 1)").