Home > mailing lists

Re: Stably escaping an identifier - Mailing list pgsql-general

From	Tom Lane
Subject	Re: Stably escaping an identifier
Date	June 15 23:11:24
Msg-id	310038.1750018284@sss.pgh.pa.us Whole thread Raw
In response to	Stably escaping an identifier (Phillip Diffley <phillip6402@gmail.com>)
List	pgsql-general

Tree view

Phillip Diffley <phillip6402@gmail.com> writes:
> Is there a reliable way to determine if an identifier has already been
> escaped, or alternatively is there a function that will stably escape an
> identifier such that the identifier will not change if the function is
> called repeatedly?

This is impossible in general, because you can't know if the
double-quotes are meant to be part of the identifier value.

My advice here would be to flat-out reject input identifiers that
contain double quotes.  I'd suggest banning newlines too while
at it, as those are known to create security issues in some
contexts.

            regards, tom lane

pgsql-general by date:

From: Phillip Diffley
Date: 15 June, 22:55:10
Subject: Stably escaping an identifier

From: Rachel Roch
Date: 16 June, 16:52:26
Subject: Re: pg_restore ERROR: permission denied to change default privileges

Re: Stably escaping an identifier - Mailing list pgsql-general

Previous

Next