Parameterize explain statement queries in postgres integration (DataDog#23392)

jasonmp85 · claude · web-flow · commit ee5014de26b6 · 2026-04-20T20:16:38.000Z
* Parameterize explain statement queries in postgres integration

Replace dollar-quoting string interpolation with psycopg bound
parameters when calling the explain function, improving robustness
of query handling.

Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;

* Add changelog entry for postgres explain statement fix

Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;

---------

Co-authored-by: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/postgres/changelog.d/23392.fixed b/postgres/changelog.d/23392.fixed
@@ -0,0 +1 @@
+Fix explain statement query construction when statement text contains dollar-quote delimiters.
diff --git a/postgres/datadog_checks/postgres/explain_parameterized_queries.py b/postgres/datadog_checks/postgres/explain_parameterized_queries.py
@@ -24,7 +24,7 @@
 
 EXECUTE_PREPARED_STATEMENT_QUERY = 'EXECUTE dd_{prepared_statement}{parameters}'
 
-EXPLAIN_QUERY = 'SELECT {explain_function}($stmt${statement}$stmt$)'
+EXPLAIN_QUERY = 'SELECT {explain_function}(%s)'
 
 
 def agent_check_getter(self):
@@ -157,10 +157,8 @@ def _explain_prepared_statement(self, conn, statement, obfuscated_statement, que
             prepared_statement_query = self._generate_prepared_statement_query(conn, query_signature)
             return self._execute_query_and_fetch_rows(
                 conn,
-                EXPLAIN_QUERY.format(
-                    explain_function=self._explain_function,
-                    statement=prepared_statement_query,
-                ),
+                EXPLAIN_QUERY.format(explain_function=self._explain_function),
+                (prepared_statement_query,),
             )
         except Exception as e:
             logged_statement = obfuscated_statement
@@ -189,9 +187,9 @@ def _execute_query(self, conn, query):
             logger.debug('Executing query=[%s]', query)
             cursor.execute(query, ignore_query_metric=True)
 
-    def _execute_query_and_fetch_rows(self, conn, query):
+    def _execute_query_and_fetch_rows(self, conn, query, params=None):
         with conn.cursor() as cursor:
-            cursor.execute(query, ignore_query_metric=True)
+            cursor.execute(query, params, ignore_query_metric=True)
             return cursor.fetchall()
 
     def _is_parameterized_query(self, statement: str) -> bool:
diff --git a/postgres/datadog_checks/postgres/statement_samples.py b/postgres/datadog_checks/postgres/statement_samples.py
@@ -725,9 +725,8 @@ def _run_explain(self, dbname, statement, obfuscated_statement):
                     "Running query on dbname=%s: %s(%s)", dbname, self._explain_function, obfuscated_statement
                 )
                 cursor.execute(
-                    """SELECT {explain_function}($stmt${statement}$stmt$)""".format(
-                        explain_function=self._explain_function, statement=statement
-                    ),
+                    "SELECT {}(%s)".format(self._explain_function),
+                    (statement,),
                     ignore_query_metric=True,
                 )
                 result = cursor.fetchone()

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+Fix explain statement query construction when statement text contains dollar-quote delimiters.`
Original file line number	Diff line number	Diff line change
`@@ -725,9 +725,8 @@ def _run_explain(self, dbname, statement, obfuscated_statement):`
`725`	`725`	`"Running query on dbname=%s: %s(%s)", dbname, self._explain_function, obfuscated_statement`
`726`	`726`	`)`
`727`	`727`	`cursor.execute(`
`728`		`- """SELECT {explain_function}($stmt${statement}$stmt$)""".format(`
`729`		`- explain_function=self._explain_function, statement=statement`
`730`		`- ),`
	`728`	`+ "SELECT {}(%s)".format(self._explain_function),`
	`729`	`+ (statement,),`
`731`	`730`	`ignore_query_metric=True,`
`732`	`731`	`)`
`733`	`732`	`result = cursor.fetchone()`