Phillip Diffley <phillip6...@gmail.com> writes:
> Is there a reliable way to determine if an identifier has already been
> escaped, or alternatively is there a function that will stably escape an
> identifier such that the identifier will not change if the function is
> called repeatedly?
This is impossible in general, because you can't know if the
double-quotes are meant to be part of the identifier value.
My advice here would be to flat-out reject input identifiers that
contain double quotes. I'd suggest banning newlines too while
at it, as those are known to create security issues in some
contexts.
regards, tom lane
