Thanks!
On Sun, Jun 15, 2025 at 10:11 PM Tom Lane wrote:
> Phillip Diffley writes:
> > Is there a reliable way to determine if an identifier has already been
> > escaped, or alternatively is there a function that will stably escape an
> > identifier such that the identifier will not change if t
Phillip Diffley writes:
> Is there a reliable way to determine if an identifier has already been
> escaped, or alternatively is there a function that will stably escape an
> identifier such that the identifier will not change if the function is
> called repeatedly?
This is impossible in general,
I am in a situation where I need to run dynamically generated queries with
identifiers from an untrusted source. For example
SELECT * FROM WHERE = $1;
We can use format('%I', ) to escape the identifier and
avoid a security vulnerability, but if the provided identifier is already
escaped, this in
