Is the following function immune to SQL attacks? (I'm using Node.js and 'pg'). s is any string that a user provides (it can have malicious intent).

import pg from 'pg' // import postgres nodejs

var readFromDB = (s) => {
  s = doubleEscapeSingleQuote(s);
  const dbQueryString = `SELECT * FROM table WHERE id = '${s}'::int8`
}

I really think this is immune to all SQL injections. Any single quotes in s get double-escaped, and then the whole thing is surrounded by single quotes, so it will always be interpreted as a string and then converted back to an int. If there's any error then the query will fail as it should.

I'm sure it's best practice to use $1 notation instead, but I really don't see a point in doing that if this is totally valid. Can you let me know if there's actually a problem with what I'm doing?