Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Is there some string escaping or preparing?

See original GitHub issue

Hello. I’m using node-postgres. And I want to insert some strings into some table. If I’m using single query, I can do like this and everything is working ok:

client.query('INSERT INTO sometbl VALUES ($1, $2)', ['foo', 'bar']);

But since I am using transactions and trying to do like this:

client.query('BEGIN; INSERT INTO sometbl VALUES ($1, $2); UPDATE sometable SET somevalue = $3; END;', ['foo', 'bar', 'foobar']);

I am getting an error with code 42601: 'cannot insert multiple commands into a prepared statement'.

Yes, I know that I can use simple string concatenation or some realizations of sprintf() to insert these parameters into the query string, but, I think, it isn’t safe to do it without any preparation like escaping. Is there some convinient way to do such preparation before inserting string values into the query string?

For example, I have found PQescapeLiteral function in the libpq, maybe there is some interface to this or similar function exists? If no, can it be implemented? //Sorry if the question is silly, I’m newbie in postgresql and node.

Issue Analytics

  • State:closed
  • Created 12 years ago
  • Reactions:3
  • Comments:9 (4 by maintainers)

github_iconTop GitHub Comments

10reactions
benjiecommented, Jan 17, 2020

(NOTE: the current pg supports both escapeIdentifier and escapeLiteral on client instances: https://github.com/brianc/node-postgres/blob/3f6760c62ee2a901d374b5e50c2f025b7d550315/packages/pg/lib/client.js#L408-L437 )

1reaction
benjiecommented, May 27, 2020

Sure; escapeIdentifier is for escaping identifiers as documented here: https://www.postgresql.org/docs/current/sql-syntax-lexical.html#SQL-SYNTAX-IDENTIFIERS “(To include a double quote, write two double quotes.)”

escapeLiteral is for escaping string constants as documented here: https://www.postgresql.org/docs/current/sql-syntax-lexical.html#SQL-SYNTAX-CONSTANTS

Read more comments on GitHub >

github_iconTop Results From Across the Web

What does it mean to escape a string? - Stack Overflow
Escaping a string means to reduce ambiguity in quotes (and other characters) used in that string. For instance, when you're defining a ...
Read more >
Why should I use prepared statements if escaping is safe?
Not because escaping is somewhat "unsafe". But because prepared statement does the complete formatting, in a single place.
Read more >
Why use prepared statements instead of escaping strings?
But a prepared statement has the disadvantage of being slower because it has to send multiple ... So, what's wrong with escaping a...
Read more >
Escaping Characters - Perl Cookbook [Book] - O'Reilly
The following lets you do escaping when preparing strings to submit to the shell. (In practice, you would need to escape more than...
Read more >
re — Regular expression operations — Python 3.11.1 ...
Also, please note that any invalid escape sequences in Python's usage of the backslash in string literals now generate a DeprecationWarning and in...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Support for INSERT ... RETURNING

Next page

prepare statement w/o values