QUOTE_IDENT

Wrap a string in double quotes so it is safe to use as a SQL identifier in dynamic SQL.

Syntax

QUOTE_IDENT(str)

Description

## Overview Wraps the input string in double quotes, making it safe to use as a SQL identifier. Any embedded double-quote characters are escaped by doubling them. This is the canonical way to inject user-provided or data-driven identifiers (table names, column names, schema names) into dynamic SQL without introducing injection vulnerabilities. QUOTE_IDENT always emits double quotes, even for identifiers that would be valid unquoted. This is a defensive choice: the overhead is tiny, and it prevents mistakes where a naive 'is this reserved?' check misses a new keyword added to a future SQL version. ## Behavior - Returns NULL when the input is NULL. - Wraps the entire input in double quotes. - Escapes embedded double quotes by doubling them. - Preserves the case of the input inside the quotes (unlike an unquoted identifier, which is folded to lowercase). - Does not add any SQL-specific escaping beyond the double-quote doubling; other characters (spaces, punctuation, Unicode) are preserved verbatim. - Operates on Unicode code points. ## Compatibility - Matches the common SQL QUOTE_IDENT semantics. - Combines naturally with FORMAT's %I specifier for building dynamic SQL.

Parameters

Name	Type	Description
str		Specifies the identifier string to quote. Any embedded double-quote characters are escaped by doubling.

Examples

-- Simple identifier (still wrapped in quotes for safety)
SELECT QUOTE_IDENT('users');  -- '"users"'

-- Identifier containing a space
SELECT QUOTE_IDENT('my table');  -- '"my table"'

-- Mixed-case identifier is preserved inside quotes
SELECT QUOTE_IDENT('MyColumn');  -- '"MyColumn"'

-- Embedded double quotes are escaped
SELECT QUOTE_IDENT('col"name');  -- '"col""name"'

-- NULL propagates
SELECT QUOTE_IDENT(CAST(NULL AS VARCHAR));  -- NULL

-- Build a dynamic SELECT that targets a column whose name is data-driven
SELECT FORMAT('SELECT %I FROM %I.%I', column_name, schema_name, table_name)
FROM ops.analytics.report_specs;

Pitfalls

• QUOTE_IDENT does not protect against NUL characters or other characters that are illegal inside SQL identifiers in some dialects. Validate untrusted input upstream.
• Quoted identifiers preserve case. QUOTE_IDENT('Users') yields '"Users"', which is a different object from unquoted users. Lowercase the input if you want the SQL-standard folded form.
• The function does not know whether the identifier exists. It only wraps the name; object existence is your responsibility to check.
• Double-quote escaping is not the same as single-quote escaping. Never use QUOTE_IDENT for string literals; use QUOTE_LITERAL or QUOTE_NULLABLE.

See Also

• quote_literal
• quote_nullable
• format
• parse_ident