Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1uQthS-002JxO-DR
	for pgsql-general@arkaria.postgresql.org; Sun, 15 Jun 2025 20:11:30 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1uQthQ-00DtoB-CG
	for pgsql-general@arkaria.postgresql.org; Sun, 15 Jun 2025 20:11:29 +0000
Received: from makus.postgresql.org ([2001:4800:3e1:1::229])
	by malur.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <tgl@sss.pgh.pa.us>)
	id 1uQthQ-00Dto2-1g
	for pgsql-general@lists.postgresql.org; Sun, 15 Jun 2025 20:11:28 +0000
Received: from sss.pgh.pa.us ([68.162.161.243])
	by makus.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <tgl@sss.pgh.pa.us>)
	id 1uQthO-002Aml-33
	for pgsql-general@postgresql.org;
	Sun, 15 Jun 2025 20:11:27 +0000
Received: from sss1.sss.pgh.pa.us (localhost [127.0.0.1])
	by sss.pgh.pa.us (8.15.2/8.15.2) with ESMTP id 55FKBOYO310039;
	Sun, 15 Jun 2025 16:11:24 -0400
From: Tom Lane <tgl@sss.pgh.pa.us>
To: Phillip Diffley <phillip6402@gmail.com>
cc: pgsql-general@postgresql.org
Subject: Re: Stably escaping an identifier
In-reply-to: <CAGAwPgQ+rhRaiPyrjG2DZhEgtYxRnsAa6jZYq2FdHu8Se+YWdg@mail.gmail.com>
References: <CAGAwPgQ+rhRaiPyrjG2DZhEgtYxRnsAa6jZYq2FdHu8Se+YWdg@mail.gmail.com>
Comments: In-reply-to Phillip Diffley <phillip6402@gmail.com>
	message dated "Sun, 15 Jun 2025 21:55:10 +0200"
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-ID: <310037.1750018284.1@sss.pgh.pa.us>
Date: Sun, 15 Jun 2025 16:11:24 -0400
Message-ID: <310038.1750018284@sss.pgh.pa.us>
List-Id: <pgsql-general.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-general@lists.postgresql.org>
List-Owner: <mailto:pgsql-general-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-general>
Archived-At: <https://www.postgresql.org/message-id/310038.1750018284%40sss.pgh.pa.us>
Precedence: bulk

Phillip Diffley <phillip6402@gmail.com> writes:
> Is there a reliable way to determine if an identifier has already been
> escaped, or alternatively is there a function that will stably escape an
> identifier such that the identifier will not change if the function is
> called repeatedly?

This is impossible in general, because you can't know if the
double-quotes are meant to be part of the identifier value.

My advice here would be to flat-out reject input identifiers that
contain double quotes.  I'd suggest banning newlines too while
at it, as those are known to create security issues in some
contexts.

			regards, tom lane