sendBatchExtendedWithDescription passes eqb.ResultFormats to
SendQueryStatement by reference. The next Build call reuses the backing
array (reset sets len=0, append overwrites), corrupting the stored format
codes for earlier queries. The server sends binary data (Bind was encoded
correctly), but the local scan plan uses the corrupted text format code.

Introduced in v5.9.0 by c3a1750 ("pgx batch uses SendQueryStatement"),
part of "Skip Describe Portal for cached prepared statements reducing
network round trips". The previous SendQueryPrepared path sent Describe
Portal, so the server's RowDescription provided correct format codes
regardless of the stored slice contents.

Signed-off-by: Dirkjan Bussink <[email protected]>

Add failing test: batch scan corrupted in cache_statement mode

Copy ResultFormats slice before passing to SendQueryStatement, which
stores it for later use. The extended query builder reuses the backing
array on the next loop iteration, corrupting format codes stored for
earlier queries in the batch.

Fixes the bug exposed by the test in #2524.

Co-Authored-By: Claude Opus 4.6 <[email protected]>

When `max_protocol_version` is not explicitly set, the default value is
set to "3.0". This is reasonable and is inline with the same behavior as
libpq[1]. Though, what libpq attempts to do that was not being done here
is to reasonably upgrade or auto-raise the value of
`max_protocol_version` when it has not been explicitly set.

Here, we're providing the same functionality. In libpq, this
determination is based on the parsed config values. We do the same here,
parsing the values in ParseConfig to validate and determine the
appropriate default for max_protocol_version. The string fields on
Config are then set accordingly, and re-parsed at connection time as
before.

After parsing, when `max_protocol_version` has not been explicitly set,
if `min_protocol_version` is greater than 3.0, `max_protocol_version`
defaults to `latest`; otherwise it defaults to 3.0 for compatibility
with older servers/poolers that don't support NegotiateProtocolVersion.

[1] postgres/postgres@285613c

Update `max_protocol_version` and `min_protocol_version` defaults

This test occasionally failed in CI. This test purported to test that
context watch doesn't leak goroutines. But goroutines can be created
at any time by the Go runtime. These goroutines could also finish at any
time.

To properly test for leaked goroutines, we would need to use something
like go.uber.org/goleak. But I'd rather not add a dependency.

The new context watch implementation doesn't manually create goroutines,
so we can be reasonably confident that it doesn't leak goroutines
without this test.

…ite fields

Named integer types implementing fmt.Stringer (e.g. protobuf enums) were
encoded using their String() output instead of their numeric value when used
inside composite type fields. This happened because TryWrapBuiltinTypeEncodePlan
matched fmt.Stringer before TryWrapFindUnderlyingTypeEncodePlan could convert
the type to its underlying integer.

Extract fmt.Stringer handling into a new TryWrapStringerEncodePlan function that
runs after TryWrapFindUnderlyingTypeEncodePlan. The wrapper loop's existing
"first successful recursive plan wins" semantics ensures the right behavior:
numeric codecs match for numeric OIDs, Stringer is used as fallback for text OIDs.

Fixes #2527

Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>

Add godoc links: see https://go.dev/doc/comment#doclinks

doc: add godoc links

…rflow

The simple-protocol SQL sanitizer treated $N found inside PostgreSQL
dollar-quoted strings ($$...$$ and $tag$...$tag$) as placeholders and
substituted them into what PostgreSQL considers literal text. A crafted
arg value could then close the dollar-quote from inside and run
arbitrary SQL (see the new proof-of-concept test in query_test.go).

The lexer now recognizes dollar-quoted strings using PostgreSQL's tag
grammar (from scan.l) and preserves their contents verbatim.

Placeholder numbers are also clamped at MaxInt32 rather than silently
overflowing. Previously "$92233720368547758070" wrapped to -10; if the
wrap had landed on a valid positive index it would have aliased a
different argument.

Adds unit tests, fuzz seeds, and an integration PoC.

Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]>