[lowsong]

Parameterized queries have been a thing for decades, which mitigate SQL injection attacks.[1] This is true of the examples in the post too, they used this:

  query = """
            SELECT * from tasks
            WHERE id = $1
            AND state = $2
            FOR UPDATE SKIP LOCKED
        """
  rec = await self.db.fetchone(query=query, args=[task_id, TaskState.PENDING], connection=connection)

[1] https://en.wikipedia.org/wiki/SQL_injection#Parameterized_st...

[Lockal]

Parameterized queries fail to protect from SQL injection for decades, because database engine developers fail to listen. What could work instead, if any parameter could be safely injected:

    SELECT $1, $2($3) FROM $4
    WHERE $5 $6 $7
    GROUP BY $1
    ORDER BY $8 $9

but at that point SQL loses its point and turns into MongoDB query language.