Phillip Diffley <phillip6402@xxxxxxxxx> writes: > Is there a reliable way to determine if an identifier has already been > escaped, or alternatively is there a function that will stably escape an > identifier such that the identifier will not change if the function is > called repeatedly? This is impossible in general, because you can't know if the double-quotes are meant to be part of the identifier value. My advice here would be to flat-out reject input identifiers that contain double quotes. I'd suggest banning newlines too while at it, as those are known to create security issues in some contexts. regards, tom lane
