DAILY NEWS

Stay Ahead, Stay Informed – Every Day

Advertisement
PostgreSQL 22034 Error: Causes and Solutions Complete Guide


PostgreSQL Error 22034: more than one sql json item

PostgreSQL error code 22034 (more than one sql json item) occurs when a SQL/JSON function such as JSON_VALUE() or JSON_QUERY() encounters a JSON path expression that returns more than one item, while the function context expects exactly one. This error became more prevalent with the introduction of SQL-standard JSON functions in PostgreSQL 15 and later.

Top 3 Causes

1. Wildcard path in JSON_VALUE() returning multiple results

JSON_VALUE() strictly requires a single scalar return value. Using a wildcard like $across an array will match multiple elements and immediately trigger error 22034.

— Triggers 22034
SELECT JSON_VALUE(‘{“fruits”: (“apple”, “banana”, “cherry”)}’, ‘$.fruits’);

— Fix: specify an explicit index
SELECT JSON_VALUE(‘{“fruits”: (“apple”, “banana”, “cherry”)}’, ‘$.fruits(0)’);
— Result: “apple”

— Fix: suppress the error gracefully
SELECT JSON_VALUE(
‘{“fruits”: (“apple”, “banana”, “cherry”)}’,
‘$.fruits’
NULL ON ERROR
);
— Result: NULL

Enter fullscreen mode

Exit fullscreen mode

2. JSON_QUERY() without WITH ARRAY WRAPPER on multi-value paths

JSON_QUERY() also fails when a path resolves to multiple independent values and no wrapper option is provided to consolidate them into a single JSON array.

— Triggers 22034
SELECT JSON_QUERY(‘{“scores”: (95, 87, 76)}’, ‘$.scores’);

— Fix: wrap results into a JSON array
SELECT JSON_QUERY(
‘{“scores”: (95, 87, 76)}’,
‘$.scores’
WITH ARRAY WRAPPER
);
— Result: (95, 87, 76)

Enter fullscreen mode

Exit fullscreen mode

3. Navigating nested array structures with simple path expressions

Deeply nested JSON arrays compound the cardinality problem at every path step. Using JSON_VALUE() or JSON_QUERY() on paths that traverse multiple array levels without index constraints will almost always produce multiple results.

— Sample nested data
WITH doc AS (
SELECT ‘{“orders”: ({“id”:1}, {“id”:2}, {“id”:3})}’::jsonb AS data
)

— Triggers 22034 (multiple ids returned)
— SELECT JSON_VALUE(data::json, ‘$.orders.id’) FROM doc;

— Fix: use jsonb_path_query() to return a set of rows
SELECT jsonb_path_query(data, ‘$.orders.id’)
FROM doc;

— Fix: use jsonb_array_elements() for row-by-row processing
SELECT elem->>’id’ AS order_id
FROM doc, jsonb_array_elements(data->’orders’) AS elem;

Enter fullscreen mode

Exit fullscreen mode

Quick Fix Solutions

Scenario
Recommended Fix

Need only the first value
Use $.array(0) explicit index

Need all values as JSON array
JSON_QUERY(… WITH ARRAY WRAPPER)

Need all values as rows

jsonb_path_query() or jsonb_array_elements()

Want to avoid query failure
Add NULL ON ERROR clause

Complex nested structures
Use JSON_TABLE() (PostgreSQL 17+)

— JSON_TABLE() for structured unnesting (PostgreSQL 17+)
SELECT *
FROM JSON_TABLE(
‘{“orders”: ({“id”:1,”amt”:100},{“id”:2,”amt”:250})}’::json,
‘$.orders’
COLUMNS (
order_id INT PATH ‘$.id’,
amount INT PATH ‘$.amt’
)
) AS jt;

Enter fullscreen mode

Exit fullscreen mode

Prevention Tips

Always verify path cardinality before using scalar JSON functions.Before deploying queries with JSON path expressions into production, use jsonb_path_query_array() to check how many items a path returns. If the count exceeds one, switch to a set-returning function or add WITH ARRAY WRAPPER.

— Pre-flight cardinality check
SELECT jsonb_array_length(
jsonb_path_query_array(your_column, ‘$.some.path’)
)
FROM your_table
LIMIT 10;

Enter fullscreen mode

Exit fullscreen mode

Always declare explicit error and empty behavior clauses.Never rely on default behavior for SQL/JSON functions. Explicitly specifying NULL ON ERROR and NULL ON EMPTY prevents a single malformed or unexpectedly multi-valued JSON document from failing an entire query batch — especially critical when handling externally sourced JSON data.

SELECT JSON_VALUE(
payload::json,
‘$.event.type’
NULL ON EMPTY
NULL ON ERROR
)
FROM event_log;

Enter fullscreen mode

Exit fullscreen mode

Related Errors

22033 – invalid sql json subscript: bad array index in path expression

22032 – invalid json text: malformed JSON, often encountered before 22034

22035 – no sql json item: the opposite of 22034; path matches nothing

2203A – sql json scalar required: path returns an object/array where a scalar is expected

📖 Want a more detailed guide?Check out the full in-depth version (Korean) on oraerror.com — includes detailed analysis, additional SQL examples, and prevention tips.



Source link

The AI Agent Payment Wars Have Begun — Here’s What Actually Matters



Visa announced this week that AI agents can now use credit cards. Mastercard launched a protocol for AI-to-AI payments and micropayments. Catena Labs raised $30M and filed for a national trust bank charter to build an “AI-native bank.”

The agent payment wars are officially live.

But if you look past the headlines, the real story isn’t about competition between payment networks. It’s about a structural mismatch between legacy financial infrastructure and autonomous systems — and what it actually takes to solve it.

The Identity Gap No One’s Talking About

Here’s the problem: AI agents can’t open bank accounts.

They can’t pass KYC. They don’t have Social Security numbers. They can’t verify their identity using a driver’s license or utility bill. Every compliance layer in traditional finance is built around human identity.

Credit cards require all of this. When Visa says agents can “use credit cards,” what they’re really offering is a workaround — not a solution. Someone (a human) still owns the card. The agent is operating under delegation, not autonomy.

This isn’t a technical limitation. It’s an architectural one. Cards were designed 50 years ago for human consumers. Retrofitting them for agents is like adding a fax machine to a self-driving car.

Settlement Speed vs. Agent Speed

An agent booking a $47 flight needs three things:

Authorization in under 150ms
Policy enforcement (spend caps, recipient allowlists) in real-time
Immediate settlement

Cards can’t deliver this. Authorization might be fast, but settlement takes 3 days. Fraud models are built around human behavior patterns — purchase location, time of day, merchant category. None of this applies to agents operating autonomously across APIs.

Mastercard’s AI-to-AI protocol is a step in the right direction, but it still sits on top of card rails. The latency is baked into the foundation.

Meanwhile, stablecoin payments settle in seconds. USDC already dominates AI agent payments, according to CoinDesk. Not because developers are crypto ideologues — because it’s the only architecture that actually works for non-human actors.

Why Catena’s Bank Charter Matters More Than Visa’s Announcement

The most important signal this week wasn’t Visa or Mastercard. It was Catena Labs filing for a national trust bank charter.

Founded by Circle co-founder Sean Neville, Catena raised $30M to build financial infrastructure specifically for AI agents. But more importantly, they’re seeking regulatory approval to do it properly.

This proves two things:

The industry knows agents need financial access
Existing banks can’t provide it without regulatory reinvention

Catena is building at the banking layer — custody, compliance, identity. That’s a different layer than payment gateways like AgentWallex, but it validates the same thesis: legacy rails weren’t designed for this, and you can’t just patch them.

The MPC Advantage: Security Without Human Friction

Multi-party computation (MPC) wallets solve the core problem: agents need to authorize payments autonomously, but they can’t hold private keys.

With MPC, no single party ever holds the full key. A 2-of-3 threshold signing model means an agent can authorize a transaction without exposing secrets — and without requiring a human to approve every payment.

This isn’t just faster. It’s architecturally correct. Agents operate on policy, not instinct. You set spend caps, recipient allowlists, rate limits, and time-based rules once. Then the agent executes within those constraints — no manual approvals, no bottlenecks.

Compare that to card authorization: every purchase is either pre-approved (no control) or requires human intervention (not autonomous). There’s no middle ground.

What the Payment Wars Actually Mean for Builders

If you’re building AI agents today, here’s what matters:

Don’t wait for Visa and Mastercard to “solve” this. They’re offering retrofitted solutions to a structural problem. Cards will always carry human identity requirements and settlement delays.
Stablecoins aren’t a crypto preference — they’re a technical necessity. Agents need wallets that don’t require SSNs, KYC checks, or 3-day settlement windows.
MPC infrastructure is the security model that scales. Agents can’t hold keys. Humans shouldn’t approve every transaction. Policy-driven authorization with threshold signing is the only model that delivers both autonomy and control.
Watch the regulatory layer. Catena’s bank charter filing matters because it signals that compliance frameworks for agents are coming. Building on top of compliant infrastructure now will save you pain later.

We’ve Been Building for This Moment

At AgentWallex, we’ve been building the payment gateway for AI agents since before this became a headline war.

MPC-secured wallets. Sub-150ms authorization. Native support for x402 micropayments (pay-per-API-call billing). A policy engine that enforces rules without manual approvals. Stablecoin-first, starting with USDC on Base.

We’re not competing with Visa or Mastercard. We’re building the infrastructure layer they can’t — because we started with agents, not humans.

The payment wars have begun. But the real question isn’t who wins between card networks and crypto rails. It’s whether you’re building on architecture designed for the future, or retrofitted from the past.

Sandbox live now at app.agentwallex.com. 3,600+ teams already on the waitlist.

Follow & Try AgentWallex



Source link

My Side Project Security Audit Results — I’m Embarrassed to Share



I recently did a security audit of all the side projects I’m running. FastAPI backend, Telegram bot, PWA, Streamlit app and many more. I thought, “I made it with some care, so it’ll be okay.” Wrong. We honestly share each problem we found, why we made it that way, and how we fixed it. This is not a theoretical checklist, but rather bugs that I have actually deployed to production. 1. Authentication bypass due to empty secret (Critical) My code _API_SECRET = os.environ.get(“https://dev.to/justjinoit/API_SECRET_KEY”https://dev.to/justjinoit/, ‘”https://dev.to/justjinoit/) def verify_api_key(x_api_key: str = Header(default=”https://dev.to/justjinoit/)): if _API_SECRET and x_api_key != _API_SECRET: # ← Bug here raise HTTPException(status_code=401) Enter fullscreen mode Exit fullscreen mode if _API_SECRET and … Let’s look at the conditions. If there is no API_SECRET_KEY environment variable on the server, _API_SECRET becomes an empty string — falsy — and the entire condition is skipped. All requests pass as if authenticated. Why was it designed like this? I tried to “handle it gracefully” so that the server would not crash even if environment variables were not set during local development. The problem is that the “elegant processing” made it to production, and the moment you didn’t set API_SECRET_KEY on the server, the entire API was opened. How to modify _API_SECRET = os.environ.get(“https://dev.to/justjinoit/API_SECRET_KEY”https://dev.to/justjinoit/, ‘”https://dev.to/justjinoit/) def verify_api_key(x_api_key: str = Header(default=””https://dev.to/justjinoit/)): if not _API_SECRET: raise HTTPException(status_code=500, detail=”https://dev.to/justjinoit/API_SECRET_KEY not configured”https://dev.to/justjinoit/) if not secrets.compare_digest(x_api_key, _API_SECRET): raise HTTPException(status_code=401, detail=”https://dev.to/justjinoit/Unauthorized”https://dev.to/justjinoit/) Enter fullscreen mode Exit fullscreen mode No secret = 500 error, not open access. Secrets.compare_digest() is also applied to prevent timing attacks. Lesson: Don’t make authentication conditional on whether a secret is set or not. Missing settings should be a hard failure, not an open. 2. Secret committed in the Git history (Critical) Although it is not in the current code, the API key that I committed for a “quick test” a few months ago was still in the Git history. # How to check git log –all -p | grep -E “sk-ant-api03-(A-Za-z0-9_-){20,}” git log –all -p | grep -E “AIzaSy(A-Za-z0-9){20,}” Enter fullscreen mode Exit fullscreen mode Why does this happen? To test quickly in the beginning, hardcode the key and commit. I think I “fixed it” by later moving it to .env. But git remembers every commit forever. When a repo is released or a team member joins, anyone can retrieve keys from past commits. How to fix # Remove a specific file from the entire history pip install git-filter-repo git-filter-repo –path .env –invert-paths –force git push –force-with-lease origin main Enter fullscreen mode Exit fullscreen mode And the exposed key is immediately discarded + reissued. Cleaning up the git history does not cancel exposure that has already occurred. Lesson learned: Keys that have been committed to git even once are assumed to have already been stolen and reissued. 3. Debug endpoint production deployment (High) This endpoint was deployed on the production server: @app.get(“https://dev.to/justjinoit//debug/config”https://dev.to/justjinoit/) async def debug_config(): return { “https://dev.to/justjinoit/supabase_url”https://dev.to/justjinoit/: settings.supabase_url, “https://dev.to/justjinoit/environment”https://dev.to/justjinoit/: settings.env, “https://dev.to/justjinoit/connected_services”https://dev.to/justjinoit/: (…) } Enter fullscreen mode Exit fullscreen mode Why does this happen? Debug endpoints are really convenient during development. After solving the blockage, I forget to erase it. Since there is no error, no one tells you. How to edit: Delete. If runtime debugging is necessary, place it after authentication or write logs. # Pre-deployment check grep -rn ‘@app.get.*debug\|@app.post.*debug’ app/ Enter fullscreen mode Exit fullscreen mode Lesson: Add “Check removal of debug endpoints” to the deployment checklist. Otherwise, it’s better not to make it in the first place. 4. Internal information exposed as an error message (High) # My code except Exception as e: return JSONResponse({“https://dev.to/justjinoit/error”https://dev.to/justjinoit/: str(e)}, status_code=500) Enter fullscreen mode Exit fullscreen mode If you do this, this message will be sent to the client: FATAL: password authentication failed for user “postgres” (Errno 2) No such file or directory: ‘/home/ubuntu/app/config.json’ Module ‘xyz’ version 1.2.3 has no attribute ‘connect’ An attacker can use this information to determine the infrastructure structure, libraries in use, and known vulnerabilities by version. Why was it designed like this? This is also for development convenience. It is convenient when testing because you can immediately see the cause of the error with just str(e). The problem was that there was no layer between the internal error and the HTTP response. How to fix import logging logger = logging.getLogger(__name__) except Exception as e: logger.error(f”https://dev.to/justjinoit/Error: {e}”https://dev.to/justjinoit/, exc_info=True) # Only in server log return JSONResponse({“https://dev.to/justjinoit/error”https://dev.to/justjinoit/: “https://dev.to/justjinoit/internal server error”https://dev.to/justjinoit/}, status_code=500) Enter fullscreen mode Exit fullscreen mode Gives everything to the log and nothing to the HTTP response. Lesson: Server logs are for me, HTTP error responses are for the client. These two must be completely separated. 5. XSS (High) front-end code with innerHTML without escaping: articles.forEach(article => { container.innerHTML += ` ${article.title} ${article.summary} ${article.url}”>More `; }); Enter fullscreen mode Exit fullscreen mode When the same title is entered into the DB, it is executed in all users’ browsers. Why does this happen? It is because template literals feel like string formatting. When you use ${article.title}, it doesn’t feel like you’re rendering HTML. However, the browser parses the HTML there and executes it. “https://dev.to/justjinoit/<"https://dev.to/justjinoit/) .replace(/>/g, “https://dev.to/justjinoit/>”https://dev.to/justjinoit/) .replace(/”/g, “https://dev.to/justjinoit/””https://dev.to/justjinoit/); const safeUrl = u => /^https?:\/\//.test(u || ‘”https://dev.to/justjinoit/) ? u: “https://dev.to/justjinoit/#”https://dev.to/justjinoit/; container.innerHTML += ` ${esc(article.title)} ${esc(article.summary)} ${safeUrl(article.url)}” rel=”noopener noreferrer”>More `; Enter fullscreen mode Exit fullscreen mode Lesson learned: Every time you use innerHTML, you mentally read “I’m executing arbitrary code.” Then it’s difficult to miss the escape. 6. Rate limit on AI endpoints None (High) @app.post(“https://dev.to/justjinoit//analyze”https://dev.to/justjinoit/) async def analyze(item: Item, _: None = Depends(verify_api_key)): result = await ai_client.messages.create(…) # Cost per call return result Enter fullscreen mode Exit fullscreen mode Rate limit None. If you make infinite calls, you will be charged a lot of money in an instant. @limiter.limit(“https://dev.to/justjinoit/10/minute”https://dev.to/justjinoit/) async def analyze(request: Request, item: Item, _: None = Depends(verify_api_key)): … Enter fullscreen mode Exit fullscreen mode Lesson: Authentication prevents unauthorized access. Rate limits prevent authorized but abusive access. 7. CORS is needed in production. Wildcard (Medium) app.add_middleware( CORSMiddleware, allow_origins=(“https://dev.to/justjinoit/*”https://dev.to/justjinoit/), # Allow all sources… ) Enter fullscreen mode Exit fullscreen mode Why is it dangerous even if there is an API key? CORS is a browser-level firewall. If the API key is in the front-end JavaScript, an API call using that key can be made in the user’s browser through an XSS vulnerability on another site. Possible modification: import os ALLOWED_ORIGINS = os.environ.get(“https://dev.to/justjinoit/ALLOWED_ORIGINS”https://dev.to/justjinoit/, “https://dev.to/justjinoit/*”https://dev.to/justjinoit/).split(“https://dev.to/justjinoit/,”https://dev.to/justjinoit/) app.add_middleware( CORSMiddleware, allow_origins=ALLOWED_ORIGINS, allow_methods=(“https://dev.to/justjinoit/GET”https://dev.to/justjinoit/, “https://dev.to/justjinoit/POST”https://dev.to/justjinoit/), allow_headers=(“https://dev.to/justjinoit/X-API-Key”https://dev.to/justjinoit/, “https://dev.to/justjinoit/Content-Type”https://dev.to/justjinoit/), ) Enter fullscreen mode Exit fullscreen mode # production .env ALLOWED_ORIGINS=https://myapp.vercel.app Enter fullscreen mode Exit fullscreen mode Lesson: allow_origins=(“*”) is for local development only. Never distribute. 8. Do not delete temporary files (Medium) with tempfile.NamedTemporaryFile(suffix=”https://dev.to/justjinoit/.xlsx”https://dev.to/justjinoit/, delete=False) as tmp: tmp.write(uploaded_file.read()) tmp_path = tmp.name process_file(tmp_path) # If an exception occurs here, the temporary file will remain forever Enter fullscreen mode Exit fullscreen mode An exception occurs in process_file() When exploded, temporary files are not deleted from the long-term operating server, and if the file contains user-sensitive data, it remains on the disk. How to fix tmp_path = None with tempfile.NamedTemporaryFile(suffix=”https://dev.to/justjinoit/.xlsx”https://dev.to/justjinoit/, delete=False) as tmp: tmp.write(uploaded_file.read()) tmp_path = tmp.name try: process_file(tmp_path) finally: if tmp_path and os.path.exists(tmp_path): os.unlink(tmp_path) Enter fullscreen mode Exit fullscreen mode Lesson: The code path that creates the file is also responsible for deletion. Finally is always executed even if there is an exception. After this audit, I created a checklist that is enforced on all projects: Before writing code: ( ) Create .gitignore (.env, *.key, sessions/, credentials.json) ( ) Create .env.example (template without actual values) All endpoints: ( ) Add authentication (500 error, not bypass if no secret) ( ) Error response is generic message only (str(e) prohibited) ( ) Rate limit on AI/cost-generating endpoints Frontend: ( ) Escape for all uses of innerHTML ( ) Verify that URL starts with https:// ( ) For external links rel=”noopener noreferrer” Before commit: git diff –cached | This is because it was always treated as a separate step after feature development. Add a TODO comment: “Let’s clean it up later.” Deploying “temporary” code as is. The only solution I’ve found is to insert security checks into natural timings: before commit, before deployment, and the cost of fixing the bugs themselves is tedious. If you are running a backend, we recommend checking the above pattern yourself if _SECRET and key != _SECRET Authentication bypass is much more common than you think.



Source link