| From: | Phillip Diffley <phillip6402(at)gmail(dot)com> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | pgsql-general(at)postgresql(dot)org |
| Subject: | Re: Stably escaping an identifier |
| Date: | 2025-06-17 09:49:15 |
| Message-ID: | CAGAwPgSOdaZo7G0q7+mbRRQzbccBiMTAXvL-devxpGvS0PmkRQ@mail.gmail.com |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
Thanks!
On Sun, Jun 15, 2025 at 10:11 PM Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> Phillip Diffley <phillip6402(at)gmail(dot)com> writes:
> > Is there a reliable way to determine if an identifier has already been
> > escaped, or alternatively is there a function that will stably escape an
> > identifier such that the identifier will not change if the function is
> > called repeatedly?
>
> This is impossible in general, because you can't know if the
> double-quotes are meant to be part of the identifier value.
>
> My advice here would be to flat-out reject input identifiers that
> contain double quotes. I'd suggest banning newlines too while
> at it, as those are known to create security issues in some
> contexts.
>
> regards, tom lane
>
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Marcin Gozdalik | 2025-06-17 16:20:04 | Changing locale of an existing database |
| Previous Message | Adrian Klaver | 2025-06-16 18:13:25 | Re: Getting error "too many clients already" despite having a db connection limit set |