use only Named Parameters is sql injection safe?

[DuginK]

sql parameter is not checked on the postgres server, is it safe for injection attacks?

[vitaly-t]

It is safe, for as long as you do not pass in data that comes directly from web. But even then, use of proper escape filters would stop an attack.