I think that quote_identifier avoids the injection problem by itself, but I'm not sure, and it could depend on the database used.

In my opinion the real question is: do you really need to allow users to use ANY valid name for a table/column? For it is certainly easier allowing only a subset of valid names (say /[_A-Z][_A-Z0-9]*/i) than trying to foresee any possible attack strategy.