[GitHub] [incubator-age] pdpotter opened a new issue #43: unexpected character at or near "$" when using query arguments

[GitBox]

pdpotter opened a new issue #43:
URL: https://github.com/apache/incubator-age/issues/43


   When I try to use [asyncpg](https://github.com/MagicStack/asyncpg) with 
query arguments, I get following error: 
`asyncpg.exceptions.PostgresSyntaxError: unexpected character at or near "$"`
   
   Python reproduction code:
   ```
   import asyncio
   import asyncpg
   
   
   async def main():
       # Don't use prepared statements (see 
https://github.com/apache/incubator-age/issues/28)
       pool = await 
asyncpg.create_pool('postgresql://testuser:testpass@127.0.0.1:5433/testdb', 
statement_cache_size=0)
       async with pool.acquire() as conn:
           await conn.execute(
               '''
                   SET search_path = ag_catalog, "$user", public;
               '''
           )
   
           await conn.execute(
               '''
                   SELECT create_graph('testgraph');
               '''
           )
   
           await conn.execute(
               '''
                   SELECT * FROM cypher('testgraph', $$CREATE (v:Person {name: 
$1})$$) as (a agtype);
               ''',
               'Tom',
           )
   
   asyncio.get_event_loop().run_until_complete(main())
   ```
   
   When trying to do the same with node with[ 
node-posgress](https://github.com/brianc/node-postgres), I get a similar error: 
`error: unexpected character at or near "$"`
   
   Typescript reproduction code:
   ```
   import {Client} from "pg";
   
   const config = {
       user: 'testuser',
       host: '127.0.0.1',
       database: 'testdb',
       password: 'testpass',
       port: 5433,
   }
   
   const main = async () => {
       const client = new Client(config);
       await client.connect();
   
       await client.query(`SET search_path = ag_catalog, "$user", public;`);
       await client.query(`SELECT create_graph('testgraph');`);
   
       await client.query(
           `SELECT * FROM cypher('testgraph', $$CREATE (v:Person {name: $1})$$) 
as (a agtype);`,
           [
               'Tom'
           ]
       ).catch(e => console.log(e));
   }
   
   main()
   ```
   
   Is it possible to use query arguments in another way with the [Dollar-Quoted 
String 
Constants](https://www.postgresql.org/docs/11/sql-syntax-lexical.html#SQL-SYNTAX-DOLLAR-QUOTING)
 incubator-age is using, or is there another easy solution to prevent sql 
injections when using user input?


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org