You actually want prepared statement support, which neither of those functions supports. joomla-framework/database#39 is me trying to do that on the Framework code.

I agree a prepared statement is much better.

Doing a quick search in the CMS code it looks like there are 2 uses of pq_query() in joomla-cms/libraries/joomla/database/driver/postgresql.php

Do you think these could be converted to pg_query_params()?

Additionally, HHVM throws a notice on these pg_query() expects exactly 2 parameters, 1 given

The manual states "Note: Although connection can be omitted, it is not recommended, since it can be the cause of hard to find bugs in scripts." looks like HHVM is more strict about expecting the connection parameter.

pg_query_params() is a cheap way for named parameters for PostgreSQL. IMO it's NOT preferential over pg_query(). In a system with proper prepared statements, pg_execute() is the way to go.

As for the HHVM errors, IMO the fact the PHP API has an optional parameter followed by a required parameter seems like a major API design failure (although fixing it would probably be more of an annoying B/C break than it's worth). It'd be correct to always pass the connection resource, regardless of whether it's optional or not.

I'll deal with adding the connection for HHVM.

I'll close this with the expectation of your fix in the framework.

https://www.postgresql.org/docs/current/static/libpq-exec.html

The primary advantage of PQexecParams [pg_query_params() in PHP] over PQexec [pg_query() in PHP] is that parameter values can be separated from the command string, thus avoiding the need for tedious and error-prone quoting and escaping.