Hello
I thing, so quote_ident is secure.
you can add more security via explicit casting to regclass type -
check if value of variable is really relation identifier:
postgres=# select quote_ident('omega b')::regclass;
quote_ident
-
"omega b"
(1 row)
postgres=# select quote_ident('o
Since this stripped down example function looks a bit meaningless, I'd like to
rephrase the question to make it more clear: Does quote_ident() prevent all
ways of trying to inject SQL into $1 so that the testinjection function cannot
be used to do anything else than setting column c to null in a
