Les <nagylzs@gmail.com> writes:
> PostgreSQL server log:
> 2022-01-05 17:35:25.831 CET [58] ERROR: syntax error at or near "$1" at
> character 35
> 2022-01-05 17:35:25.831 CET [58] STATEMENT: ALTER USER postgres WITH
> PASSWORD $1
Yeah, as a general rule parameters can only be used in DML commands
(SELECT/INSERT/UPDATE/DELETE). Utility commands don't support them
because they don't have expression-evaluation capability.
(Perhaps this will change someday, but don't hold your breath.)
> Passwords can also contain special characters. If I can't use parameters to
> do this, then how should I quote them in a safe way?
Most client libraries should have a function to convert an arbitrary
string into a safely-quoted SQL literal that you can embed into the
command. I don't know psycopg3, so I don't know what it has for that.
regards, tom lane