Expand description
Dialect-aware SQL identifier escaping.
Values are always sent to the database as bound parameters, but SQL
identifiers (table names, column names, aliases) are interpolated directly
into the generated SQL. If any of those identifiers can be influenced by
untrusted input (e.g. a dynamic ORDER BY column coming from a request),
interpolating them verbatim is a SQL-injection vector.
escape_identifier quotes identifiers using the dialect’s quote character
and doubles any embedded quote character, which is the standard, injection-safe
way to emit an identifier.
Functions§
- escape_
identifier - Escape a SQL identifier so that attacker-controlled table/column/alias names cannot break out of the identifier context.