backslash_quote — PostgreSQL configuration parameter

This parameter controls whether a quote mark can be represented by \’ in the escape string syntax (E’…’).

At a glance

What it does

This parameter controls whether a quote mark can be represented by \’ in the escape string syntax (E’…’). The preferred, SQL-standard way to represent a quote mark is by doubling it (”) but PostgreSQL has historically also accepted \’. However, use of \’ creates security risks because in some client character set encodings, there are multibyte characters in which the last byte is numerically equivalent to ASCII \. If client-side code does escaping incorrectly then an SQL-injection attack is possible. This risk can be prevented by making the server reject queries in which a quote mark appears to be escaped by a backslash. The allowed values of backslash_quote are on (allow \’ always), off (reject always), and safe_encoding (allow only if client encoding does not allow ASCII \ within a multibyte character). safe_encoding is the default setting.

Note that in an ordinary string literal, \ just means \ anyway. This parameter only affects the handling of escape string syntax.

(Description quoted from the official PostgreSQL documentation.)

How to apply a change

Can be set per session with SET, per role/database with ALTER ROLE/DATABASE ... SET, or globally in postgresql.conf.

Inspect the current value and source with SHOW backslash_quote; or SELECT name, setting, unit, context, source FROM pg_settings WHERE name = 'backslash_quote';.

Tuning guidance

This controls backward-compatibility behaviour, not performance. Keep it at the modern default unless a specific legacy application depends on the older behaviour; turning compatibility flags on to paper over application bugs stores up problems for a future upgrade. Treat any non-default value as technical debt to remove.

Reference

PostgreSQL documentation — backslash_quote.