public inbox for [email protected]
help / color / mirror / Atom feedFrom: Tom Lane <[email protected]>
To: Phillip Diffley <[email protected]>
Cc: [email protected]
Subject: Re: Stably escaping an identifier
Date: Sun, 15 Jun 2025 16:11:24 -0400
Message-ID: <[email protected]> (raw)
In-Reply-To: <CAGAwPgQ+rhRaiPyrjG2DZhEgtYxRnsAa6jZYq2FdHu8Se+YWdg@mail.gmail.com>
References: <CAGAwPgQ+rhRaiPyrjG2DZhEgtYxRnsAa6jZYq2FdHu8Se+YWdg@mail.gmail.com>
Phillip Diffley <[email protected]> writes:
> Is there a reliable way to determine if an identifier has already been
> escaped, or alternatively is there a function that will stably escape an
> identifier such that the identifier will not change if the function is
> called repeatedly?
This is impossible in general, because you can't know if the
double-quotes are meant to be part of the identifier value.
My advice here would be to flat-out reject input identifiers that
contain double quotes. I'd suggest banning newlines too while
at it, as those are known to create security issues in some
contexts.
regards, tom lane
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected]
Subject: Re: Stably escaping an identifier
In-Reply-To: <[email protected]>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox