Thanks! On Sun, Jun 15, 2025 at 10:11 PM Tom Lane <[email protected]> wrote:
> Phillip Diffley <[email protected]> writes: > > Is there a reliable way to determine if an identifier has already been > > escaped, or alternatively is there a function that will stably escape an > > identifier such that the identifier will not change if the function is > > called repeatedly? > > This is impossible in general, because you can't know if the > double-quotes are meant to be part of the identifier value. > > My advice here would be to flat-out reject input identifiers that > contain double quotes. I'd suggest banning newlines too while > at it, as those are known to create security issues in some > contexts. > > regards, tom lane >
