Search⌘ K
AI Features

PostgreSQL Protocol: Server-Side Prepared Statements

Explore how PostgreSQL implements server-side prepared statements through the extended query protocol. Understand the roles of parse, bind, and execute messages in securely sending queries and parameters separately, eliminating the risk of SQL injection. Learn practical use with asyncpg driver examples for safe and efficient query execution.

It’s possible to send the query string and its arguments separately on the wire by using server-side prepared statements. This is a pretty common way to do it, mostly because PQexecParams isn’t well-known, though it made its debut in PostgreSQL 7.4 in 2003. To this day, a lot of PostgreSQL drivers still don’t expose the PQexecParams facility, which is unfortunate.

Server-side prepared statements can be used in SQL thanks to the prepare and execute commands syntax, as in the ...