Add a note about alternative to parameterized queries for DDL (#94)

Envek · web-flow · commit 431b7c69463e · 2020-08-13T12:17:58.000-05:00
diff --git a/content/features/2-queries.mdx b/content/features/2-queries.mdx
@@ -63,6 +63,10 @@ try {
 }
 ```
 
+<div class="alert alert-warning">
+  PostgreSQL does not support parameters for identifiers. If you need to have dynamic database, schema, table, or column names (e.g. in DDL statements) use <a href="https://www.npmjs.com/package/pg-format">pg-format</a> package for handling escaping these values to ensure you do not have SQL injection!
+</div>
+
 Parameters passed as the second argument to `query()` will be converted to raw data types using the following rules:
 
 **null and undefined**

Original file line number	Diff line number	Diff line change
`@@ -63,6 +63,10 @@ try {`
`63`	`63`	`}`
`64`	`64`	```
`65`	`65`
	`66`	`+<div class="alert alert-warning">`
	`67`	`+ PostgreSQL does not support parameters for identifiers. If you need to have dynamic database, schema, table, or column names (e.g. in DDL statements) use <a href="https://www.npmjs.com/package/pg-format">pg-format</a> package for handling escaping these values to ensure you do not have SQL injection!`
	`68`	`+</div>`
	`69`	`+`
`66`	`70`	Parameters passed as the second argument to `query()` will be converted to raw data types using the following rules:
`67`	`71`
`68`	`72`	`null and undefined`