On Sun, Jun 15, 2025 at 10:11 PM Tom Lane <tgl@sss.pgh.pa.us> wrote:
Phillip Diffley <phillip6402@gmail.com> writes: > Is there a reliable way to determine if an identifier has already been > escaped, or alternatively is there a function that will stably escape an > identifier such that the identifier will not change if the function is > called repeatedly?
This is impossible in general, because you can't know if the double-quotes are meant to be part of the identifier value.
My advice here would be to flat-out reject input identifiers that contain double quotes. I'd suggest banning newlines too while at it, as those are known to create security issues in some contexts.
