Re: Stably escaping an identifier

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: Phillip Diffley <phillip6402(at)gmail(dot)com>
Cc: pgsql-general(at)postgresql(dot)org
Subject: Re: Stably escaping an identifier
Date: 2025-06-15 20:11:24
Message-ID: 310038.1750018284@sss.pgh.pa.us
Views: Whole Thread | Raw Message | Download mbox | Resend email
Thread:
Lists: pgsql-general

Phillip Diffley <phillip6402(at)gmail(dot)com> writes:
> Is there a reliable way to determine if an identifier has already been
> escaped, or alternatively is there a function that will stably escape an
> identifier such that the identifier will not change if the function is
> called repeatedly?

This is impossible in general, because you can't know if the
double-quotes are meant to be part of the identifier value.

My advice here would be to flat-out reject input identifiers that
contain double quotes. I'd suggest banning newlines too while
at it, as those are known to create security issues in some
contexts.

regards, tom lane

In response to

Responses

Browse pgsql-general by date

  From Date Subject
Next Message Rachel Roch 2025-06-16 13:52:26 Re: pg_restore ERROR: permission denied to change default privileges
Previous Message Phillip Diffley 2025-06-15 19:55:10 Stably escaping an identifier