LGTM as well, for what it's worth. Just to mirror my feedback here so it's tracked for the future, while this fix will work in our environment as-deployed, be cautious with the "replace all single-quotes with two single-quotes" strategy to prevent injections. Tricks like double-encoding or the use of equivalent UTF-8 characters can cause localization-related headaches on some configurations that may accidentally re-open this hole, and really this mostly just works because Postgres is very specific about its syntax. Similar tricks would be easily bypassed in MS-SQL or MySQL (without ANSI_QUOTES) with backslashes or comment injection.
More information available from OWASP here: https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet