[molsson]

The content overview doesn't include anything about escaping data to prevent SQL injection (escaping of literals vs escaping of table/field names etc). This is important to get right and postgres has a slightly different approach compared to mysql and others.

For example, you can and should use parametric queries like:

client.query('INSERT INTO mytable(a) VALUES ($1)', ['hello'])

...but that doesn't work for all types of queries, for example you get an error for:

client.query('SET LOCAL SEED = $1', [someVal])

Another example, you might need to build a dynamic where-clause based on data from an "advanced search" UI query builder, and then you need to make a list of all the "foo = $N" parts (and increment $N as you go), plus another list of the actual variables. Maybe there are some nice tricks / techniques to simplify that?