Thanks! On Sun, Jun 15, 2025 at 10:11 PM Tom Lane <t...@sss.pgh.pa.us> wrote:
> Phillip Diffley <phillip6...@gmail.com> writes: > > Is there a reliable way to determine if an identifier has already been > > escaped, or alternatively is there a function that will stably escape an > > identifier such that the identifier will not change if the function is > > called repeatedly? > > This is impossible in general, because you can't know if the > double-quotes are meant to be part of the identifier value. > > My advice here would be to flat-out reject input identifiers that > contain double quotes. I'd suggest banning newlines too while > at it, as those are known to create security issues in some > contexts. > > regards, tom lane >
